httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felipe Pereira <>
Subject [users@httpd] Re: Access control by root CA of the client certificate
Date Sun, 25 Jun 2017 23:20:08 GMT

 formatting, I'm sorry.

In our reverse proxy, we have a virtual host serving more than one Location.

Both locations require client certificate. SSLCACertificateFile includes
all root CAs trusted by both locations.

So, in Location2 I would like to allow access only to certificates where
the chain is:

        \_ ROOT_CA (issuer's Issuer)  <-- can I access this with SSLRequire?

QUESTION: is there a way to control access by the root CA that is on top of
the chain?

I tried SSLRequire but it seems I can't access the root cert, only the
client cert and the intermediate (issuer) using SSL_CLIENT_I_DN.

I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_1} and _2 but only the
intermediate is logged in _1, nothing is logged in _2.

It seems the only way to do this is splitting location2 to another virtual
host where I trust only the required root CA using SSLCACertificateFe would
prefer to avoid that, we don't want to change the web service endpoint
(both locations are web services).

Here's what I was trying:

  SSLCACertificateFile bundle.crt
    VerifyClient require
    SSLVerifyDepth 3
  <Location /location1>
  <Location /location2>
     VerfiyClient require
     SSLRequire %{SSL_CLIENT_CERT_CHAIN_1} == file("root1.pem")

​I appreciate​
 any help,

View raw message