Requiring client certificate issued by a specific intermediate CA in Apache

apache-2.2certificate-authoritymod-sslssl-certificate

I have a CA hierarchy like this:

               Root-CA
          ________|_____________
         |                      |
      TEST-CA             PRODUCTION-CA
    _____|_____             ____|____
   |           |           |         |
TEST-SRV   TEST-CLI    PROD-SRV   PROD-CLI

From the perspective of the production server identified by the PROD-SRV server certificate, how would I setup Apache mod_ssl to require the PROD-CLI client certificate signed by the PRODUCTION-CA and not allow a client with the TEST-CLI certificate signed by the TEST-CA?

Currently I have:

SSLCertificateFile      prod_srv.crt
SSLCertificateKeyFile   prod_srv.pem
SSLCADNRequestFile      prod_ca.crt
SSLCACertificateFile    root_ca.crt

This looks like it is working because the server asks the browser for the PROD CLI certificate but if I provide TEST CLI certificate a valid certificate path is constructed and a test client is accepted onto the production system.

Best Answer

Look into the SSLRequire directive - the following rule should look at the Issuer field (i.e. the CA certificate) of the certificate presented, pick out the CN, and match it against the name of your PRODUCTION-CA certificate.

SSLRequire %{SSL_CLIENT_I_DN_CN} == "PRODUCTION-CA"

Best Answer

Related Solutions

Ssl – Apache 2.2.14: SSLCARevocation location

Configuring client certificate authentication in apache

Related Topic