I've been investigating about this and it work with the apache SSL option
SSLVerifyClient optional_no_ca
I have the following virtualhost configuration.
NameVirtualHost *:443
<VirtualHost *:443>
SSLEngine on
SSLOptions +StdEnvVars
SSLCertificateFile /root/test-https-certificate/test.company.com.crt
SSLCertificateKeyFile /root/test-https-certificate/research.company.com.key
SSLCACertificateFile /root/test-https-certificate/sub.class1.server.ca.pem
SSLCARevocationPath /root/ssl-authentication/crl
SSLCARevocationFile /root/ssl-authentication/crl/crl.pem
SSLCADNRequestFile /root/ssl-authentication/client-cert-issuing-ca.crt
<Directory /var/www/vhosts/test.com/httpsdocs/topsecret>
SSLRequireSSL
SSLVerifyClient optional_no_ca
SSLVerifyDepth 10
</Directory>
DocumentRoot /var/www/vhosts/test.com/httpsdocs/topsecret
ServerName test.company.com
</VirtualHost>
My problem now is that everyone having certificate or not can access to my restricted folder, reading documentation about the mod_ssl of apache I've found the option SSLRequire but how can I implement it, when I use it in my tag it redirects me to the default DocumentRoot of apache.
And other doubt.. in a security point of view what I'm doing is correct? Having self-signed certificate for clients and one signed by an official entity for the server?
