Apache Configuration

All standard webservers support HTTPS authentication of visitors using a digital certificate.  Below are the directives to enable an Apache webserver to request and process a visitor's digital certificate.  The Apache Foundation has full documentation on these configurations and directives.

 

If the webserver already has HTTPS enabled for parts of the site, another virtual host will need to be created to request and process end user digital certificates.  For that additional virtual host, these directives enable certificate authentication for the visitor: 

 

SSLEngine on
SSLProtocol All -SSLv2 -SSLv3 -TLSv1
SSLCACertificateFile /etc/pki/tls/certs/PseudoNymPrivateLabelS.pem
SSLVerifyClient  optional
SSLVerifyDepth  10
SSLOptions +StdEnvVars +ExportCertData
SSLOCSPEnable leaf
SSLOCSPDefaultResponder "http://verify.pseudo-nym.com"
SSLOCSPOverrideResponder on
RewriteEngine On
RewriteCond %{SSL:SSL_CLIENT_VERIFY} !^SUCCESS$
RewriteRule     (.*) http://www.pseudo-nym.com/content/no-credential [R]

 

(The 'PseudoNymPrivateLabelS.pem' file, needed as part of this configuration, is available here.  It is the first file in the list.)

 

When a visitor is successfully identified and authenticated with a digital certificate, Apache makes the content of that certificate available via environment variables.  Those environment variables can then be used by the underlying application to perform various functions, including giving access to a specific account.