While it's certainly possible to configure client-side certificate authentication on Apache using the built-in SSL module alone, it's much easier if you use the Apache modules developed for the scripts.mit.edu project.
If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases (through 11.x) in a PPA.
The PPA homepage includes instructions on how to install the PPA on your system, but if you're on Ubuntu Karmic or later, you can just run:
# add-apt-repository ppa:broder/scripts-http-mods ; apt-get update
Once you've installed the PPA, you want to install the libapache2-mod-auth-sslcert and libapache2-mod-authz-afsgroup packages.
# aptitude install libapache2-mod-auth-sslcert libapache2-mod-authz-afsgroup
You'll also need a working AFS client and the Athena client certificate CA. Both of these can be most easily configured by installing Debathena. You can install any Debathena flavor you'd like, but
debathena-standard flavor should include everything you need.
In addition to the standard Apache directives needed to enable SSL, you'll need a few more before the Apache modules work as they do on scripts. Add the following directives to each vhost that will be using SSL client-side certificate authentication:
SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem <Location /> AuthSSLCertVar SSL_CLIENT_S_DN_Email AuthSSLCertStripSuffix "@MIT.EDU" </Location>
You also need to require certificate authentication. You can either use
SSLVerifyClient require or
SSLVerifyClient require has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with
SSLVerifyClient optional set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets
You'll also need to enable the Apache modules.
# a2enmod auth_sslcert # a2enmod authz_afsgroup
Once you've done that, the instructions in the scripts.mit.edu FAQ on configuring certificate access through
.htaccess files should work.