Is it possible to configure Apache (or any other SSL-aware server) to only accept connections from clients presenting a certificate from a pre-defined list? These certificates may be signed by any CA (and may be self-signed).
A while back I tried to get client certificate validation working in the EPP system of the domain registry I work for. The EPP protocol spec mandates use of "mutual strong client-server authentication". In practice, this means that both the client and the server must validate the certificate of the other peer in the session.
We created a private certificate authority and asked registrars to submit CSRs, which we then signed. This seemed to us to be the simplest solution, but many of our registrars objected: they were used to obtaining a client certificate from a CA, and submitting that certificate to the registry. So we had to scrap the system. I have been trying to find a way of implementing this system in our server, which is based on the mod_epp module for Apache.
Best Answer
It may be possible to do with just the core mod_ssl, using SSLRequire. Im not sure the exact SSL variable you would want, but something like this should work:
SSLRequire %{SSL_CLIENT_S_DN_UID} in { file("/tmp/list") }
Alternatively, you can map some certificate attribute to the user name that usually comes from HTTP Authentication (.htaccess type restrictions):
.htaccess:
SSLOptions +FakeBasicAuth SSLUserName SSL_CLIENT_S_DN_CN AuthGroupFile /tmp/SSL_Groups Require group my-users
/tmp/SSL_Groups:
my-users: uid=bob,dc=site,dc=com uid=jane,dc=site,dc=com
Again, I'm not 100% on what SSL_CLIENT_S_DN_CN looks like, but you get the point.