SIPB: MIT Student Information Processing Board

Configuring Client-Side Certificate Authentication on Apache

doc»

While it's certainly possible to configure client-side certificate authentication on Apache using the built-in SSL module alone, it's much easier if you use the Apache modules developed for the scripts.mit.edu project.

Installing the modules

If you're using Ubuntu, Evan Broder has packaged the scripts.mit.edu modules for all current Ubuntu releases (through 11.x) in a PPA.

The PPA homepage includes instructions on how to install the PPA on your system, but if you're on Ubuntu Karmic or later, you can just run:

# add-apt-repository ppa:broder/scripts-http-mods ; apt-get update

Once you've installed the PPA, you want to install the libapache2-mod-auth-sslcert and libapache2-mod-authz-afsgroup packages.

# aptitude install libapache2-mod-auth-sslcert libapache2-mod-authz-afsgroup

You'll also need a working AFS client and the Athena client certificate CA. Both of these can be most easily configured by installing Debathena. You can install any Debathena flavor you'd like, but debathena-standard flavor should include everything you need.

Configuring Apache

In addition to the standard Apache directives needed to enable SSL, you'll need a few more before the Apache modules work as they do on scripts. Add the following directives to each vhost that will be using SSL client-side certificate authentication:

SSLCACertificateFile /etc/ssl/certs/mitCAclient.pem
<Location />
    AuthSSLCertVar SSL_CLIENT_S_DN_Email
    AuthSSLCertStripSuffix "@MIT.EDU"
</Location>

You also need to require certificate authentication. You can either use SSLVerifyClient require or SSLVerifyClient optional. SSLVerifyClient require has the downside that, if visitors don't have client-side certificates, they'll get an obscure OpenSSL error. However, Safari will not present certificates to a site with SSLVerifyClient optional set unless the user sets up an Identity Preference. For reference, scripts.mit.edu sets SSLVerifyClient optional.

You'll also need to enable the Apache modules.

# a2enmod auth_sslcert
# a2enmod authz_afsgroup

Once you've done that, the instructions in the scripts.mit.edu FAQ on configuring certificate access through .htaccess files should work.