1

I have multiple directories on my system, e.g.,

/var/www/dir1 /var/www/dir2 /var/www/dir3

And what I'd like to do is to generate a server/client SSL certificate for each directory, and then set up each directory such that the client cert must match the server cert in order to access said directory. Now, if someone has the client cert for /var/www/dir2 and they try to access /var/www/dir1, they will be unable to do so since those directories use different certs. Each of these directories is hosted on the same domain (i.e., domain.com/dir1, domain.com/dir2).

Now, the problem I am having is that I am not exactly sure how to accomplish this in Apache. (Also, I don't really care for domain.com to require SSL, but I do want the directories to require it.)

Daniel Amaya
  • 21
  • 3
  • Can you clarify your goal with this? It's not possible to have different server certificates on the different directories, unless maybe they're different virtual hosts.. but I can't see a reason why the changing client cert per directory would require any change to the server certs, either. – Shane Madden Nov 09 '13 at 07:04
  • Daniel, don't try to add clarifications in the comments; instead, edit them into your question. It preserves the formatting better, as well as helping keep all the information in one place. – MadHatter Nov 09 '13 at 07:19
  • Thanks MadHatter, I have deleted my response and added it to my post instead. – Daniel Amaya Nov 09 '13 at 07:22
  • Ah; it seems like you have not only edited, but answered, the question. I apologise for asking, but if you've found a solution that works for you, is there any chance you could edit it out of the question, add it as an answer, wait a day or two (I think a pause is required), then accept your own answer? That stops the question floating around unanswered for ever. Sorry to get you stuck in edit wars. – MadHatter Nov 09 '13 at 07:23
  • Sorry, Daniel, if I was unclear: not as a **comment**, but as an **answer**. Your question edit suggested that you had found a solution you were happy with. That constitutes an answer to the question. Posting it as such allows the question to be closed by your acceptance of the answer (after a period of time), and the answer can collect upvotes. – MadHatter Nov 09 '13 at 07:45
  • It's not you being unclear, it's me being an idiot and not seeing the big "Answer Your Question" button at the end of the page. Unfortunately, it seems that I am unable to answer my own question until 8 hours after posting it, and I imagine I'd be unable to accept another user's answer as well. Arg. – Daniel Amaya Nov 09 '13 at 07:48

2 Answers2

1

My understanding of this was incorrect. I have generated a single server cert, then I generate a client cert for each client. I created /etc/httpd/clients directory and I store a file for each client in said directory that looks like this:

<Directory /var/www/html/test.com>
  RewriteEngine On
  RewriteCond %{HTTPS} !=on
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
  SSLVerifyClient require
  SSLVerifyDepth 5
  SSLOptions           +FakeBasicAuth
  SSLRequireSSL
  SSLRequire       %{SSL_CLIENT_S_DN_CN}  eq "test.com"
</Directory>

Each client now has their own SSL client cert that they can use to access a given directory on the web server.

Daniel Amaya
  • 21
  • 3
0

SSL certificates are connected to a domain name, but because of the way SSL works, you can only have one per IP address. This is because the SSL handshake asks for the certificate before passing the domain name to the webserver. Thus the webserver cannot apply a different certificate per directory, or indeed domain name. Nor can you purchase, or create one!

The best you could do is create a different cert for dir1.example.com dir2.example.com etc. then use Apache's URL rewriting to redirect www.example.com/dir1 to dir1.example.com. It would have to be a redirect though, as the certificates won't work otherwise.

AlexW
  • 31
  • 1
  • 4