The Apache settings for ssl.conf should be placed within the section <VirtualHost_default_:443>.
The following three settings, found in the file ssl.conf, are the minimum required to complete client authentication setup with Apache. The ca-chain.cert.pem is a file of pem encoded certificates that represent your certificate chain (this includes a finite number of intermediate CA certificates and a root CA certificate).
-
SSLVerifyClient require
-
SSLVerifyDepth 10
-
SSLCACertificateFile C:/inforEAM/apache/certificates/ca-chain.cert.pem
If you have web service clients using your application install, set SSLVerifyClient to optional. Even if set to optional, no user can login via a browser to the application without a certificate.
The next two settings, also found in the file ssl.conf, will enable CRL checking for the client certificates. Optionally, append no_crl_for_cert_ok to the SSLCARevocationCheck value if you want validation to not fail if a CRL isn't present for a certificate in the chain.;This implies if a CRL is present, Apache will use it, and if a CRL is not present, Apache will assume the client certificate is not revoked.
For example, "chain no_crl_for_cert_ok". If no_crl_for_cert_ok is not set, then a CRL must be available for each certificate in the chain.
-
SSLCARevocationCheck chain
-
SSLCARevocationFile C:/inforEAM/apache/certificates/ca-chain.crl.pem
-
Apache will not automatically download or refresh the CRLs being used if the expiration date is exceeded.
-
It is the responsibility of the system administrator to download and refresh the CRLs before they expire (this process should be automated as a nightly job or schedule to run based on when CRLs expire).
-
After a CRL file is replaced, the Apache server requires a restart for the new file to take effect.
The next setting, also found in the file ssl.conf, will enable OCSP checking for the client certificates. The Apache implementation of OCSP checking is quite strict, if any certificate in your certificate chain is not setup with an OCSP responder then the OCSP check will fail.
SSLOCSPEnable on
See https:/bz.apache.org/bugzilla/show_bug.cgi?id=62112 for more information on an available bug fix to make OCSP checking less strict by configuration.
Additionally, see the mod_ssl documents (https:/httpd.apache.org/docs/2.4/mod/mod_ssl.html) for more OCSP configuration options if further customization is needed or you have rolled your own global OCSP responder.
The next setting, found in ssl.conf, will pass the client certificate information to the application server.
SSLOptions +StdEnvVars
<IfModule mod_headers.c>
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
</IfModule>
The next setting, found in httpd.conf, must be set right above where the ssl.conf file is loaded (Include conf/ssl.conf line of code). This setting is a security guard.
<IfModule mod_headers.c>
RequestHeader unset SSL_CLIENT_VERIFY
RequestHeader unset SSL_CLIENT_S_DN
</IfModule>