1

I am configuring Apache to use client certificate authentication. When I brows to the site however, it does not ask me for a certificate, unless SSLCACertificateFile is specified. It will then ask for a certificate through the browser. The browser will pop up a box asking me to choose a certificate (it only shows certificates signed by the CA specified by SSLCACertificateFile).

I am using a self signed certificate.

It also does not matter if the certs the 'client' uses is specified in SSLCACertificatePath.

Any helpful advice on why it is acting this way? Is the browser not asking for certificates normal unless SSLCACertificateFile is specified?

<VirtualHost _default_:443>
DocumentRoot "C:/documents"
ServerName server.ip:443
ServerAdmin admin@eample.org
ErrorLog "C:/Apache2.2/logs/error.log"
TransferLog "C:/Apache2.2/logs/access.log"

SSLEngine on
SSLCipherSuite HIGH:MEDIUM

SSLCertificateFile C:/Apache2.2/certs/server.crt

SSLCertificateKeyFile C:/Apache2.2/certs/server.key

SSLCertificateChainFile C:/Apache2.2/certs/ca.crt

SSLCACertificateFile C:/Apache2.2/certs/ca.crt

SSLCACertificatePath C:/Apache2.2/allowed-crts

SSLCARevocationPath C:/Apache2.2/revoked-certs

SSLVerifyClient require
SSLVerifyDepth  2

SSLOptions +ExportCertData +StdEnvVars
<FilesMatch "\.(cgi|shtml|phtml|php)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "C:/Apache2.2/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

BrowserMatch ".*MSIE.*" \
     nokeepalive ssl-unclean-shutdown \
     downgrade-1.0 force-response-1.0

CustomLog "C:/Apache2.2/logs/webservices-ssl_request.log" \
      "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
user779608
  • 13
  • 1
  • 3
  • which browser do you use ? have you tried with another / an older browser ? most recent firefox versions have a nazi politic on SSL certificates – neofutur Nov 24 '14 at 08:37
  • This is normal behavior. The server needs to know which CA's to check the client certificate against. –  Dec 25 '14 at 02:42

3 Answers3

1

What you are saying does make sense, and the doc, while a bit vague, seems to agree.

SSLCACertificateFile

This directive sets the all-in-one file where you can assemble the Certificates of Certification Authorities (CA) whose clients you deal with. These are used for Client Authentication. Such a file is simply the concatenation of the various PEM-encoded Certificate files, in order of preference. This can be used alternatively and/or additionally to SSLCACertificatePath.

Just to clarify, I understand it that SSLCACertificateFile is needed so that the server knows which clients it is allowed to let in the protected area and you would need at least SSLCACertificateFile or SSLCACertificatePath.

chutz
  • 7,888
  • 1
  • 29
  • 59
0

When using self-signed certs, I've found it easier to forgo the CA business and use SSLVerifyClient optional_no_ca combined with SSLRequire:

    DocumentRoot /srv/www/1
ServerName your.server.tld
SSLCertificateFile /etc/apache2/ssl/your.server.tld.crt
SSLCertificateKeyFile /etc/apache2/ssl/your.server.tld.key
SSLEngine on
SSLOptions +StdEnvVars
<Location />
    Order allow,deny
    allow from all

    SSLRequireSSL
    SSLVerifyDepth 1
    SSLVerifyClient optional_no_ca
    SSLRequire (\
        %{SSL_CLIENT_CERT} eq file("/etc/apache2/ssl/validclient.crt")\
    )
</Location>
Cakemox
  • 25,209
  • 6
  • 44
  • 67
0

If you're planning to use self-signed client certificates (which can be sense, but should be done with caution, as they'll eventually need to be verified somehow), you'll need:

  • to get the server to send an empty CA list in its Certificate Request TLS message (so that the browser offers you a choice between all the certs it has, including self-signed ones): this can be done using SSLCADNRequestFile pointing to a file with an empty line;
  • to get the server to accept any cert: this can be done with SSLVerifyClient optional_no_ca.

There are more details in this answer.

Community
  • 1
Bruno
  • 4,099
  • 1
  • 21
  • 37