0

I'm currently playing around with PKI auth on my Apache2 server and I was just wondering if there is a quick/easy way to add/remove users from the SSLRequire line? Right now I have something like this:

<Directory />
        Options FollowSymlinks
        AllowOverride None
        SSLRequireSSL
        SSLRequire %{SSL_CLIENT_S_DN_CN} =~ m/(user1|user2|....|userN)$/ and %{SSL_CLIENT_S_DN_OU} eq "MY-OU" 
</Directory>

As you can probably guess, editing this file every time a user needs to be added or removed can be pretty tedious. Is there a simpler way to go about this?

tparrott
  • 185
  • 1
  • 3
  • 9
  • I haven't used this particular feature, but would putting the users in groups work for you? Something like `%{SSL_CLIENT_S_DN_OU} in {"group1","group2",...,"groupN"}` ... ? See example under SSLRequire: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslrequire – KM. May 14 '14 at 15:40
  • Is this possible to do if you don't have control over the CA issuing the certs? – tparrott May 14 '14 at 16:16
  • I'm not certain. What is your concern with the cert issuing CA? Also, in this case would `%{SSL_CLIENT_S_DN_OU} eq "MY-OU"` be sufficient or are you looking lock things down further by user? – KM. May 14 '14 at 19:43

0 Answers0