X-Git-Url: https://sipb.mit.edu/gitweb.cgi/wiki.git/blobdiff_plain/e9e9a06fadb367eba1aea13655a39f630bb2cf1a..b77165053caeeae1ac8b47eec6dff8cf5bbb1bab:/doc/apache-client-certs.mdwn diff --git a/doc/apache-client-certs.mdwn b/doc/apache-client-certs.mdwn index 76fdfcb..6a5311e 100644 --- a/doc/apache-client-certs.mdwn +++ b/doc/apache-client-certs.mdwn @@ -20,13 +20,13 @@ You'll also need a working AFS client and the Athena client certificate CA. Both In addition to the standard Apache directives needed to enable SSL, you'll need a few more before the Apache modules work as they do on scripts. Add the following directives to each vhost that will be using SSL client-side certificate authentication: - SSLCACertificateFile /etc/ssl/clientCAs.pem + SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem AuthSSLCertVar SSL_CLIENT_S_DN_Email AuthSSLCertStripSuffix "@MIT.EDU" -You also need to require certificate authentication. You can either use `SSLVerifyClient required` or `SSLVerifyClient optional`. `SSLVerifyClient required` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`. +You also need to require certificate authentication. You can either use `SSLVerifyClient require` or `SSLVerifyClient optional`. `SSLVerifyClient require` has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with `SSLVerifyClient optional` set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets `SSLVerifyClient optional`. You'll also need to enable the Apache modules.