Enabling SSL Client Certificates on Apache

The following is a recipe to configure an Apache Web Server to accept and read a self-signed SSL client certificates.
This is one of the steps to implement the FOAF + SSL protocol as outlined by Henry Story.

1. Assumptions
2. Change the Apache httpd.conf to enable client certificates
3. Add the following to the .htaccess to make the SSL variables available to PHP
4. How to test it

5. How to exclude specific files from the client certificate request directive

6. See Also
7. External Links

The starting assumption of this recipe is that your Apache server has SSL installed and working.
If not the instructions are here: http://www.apache-ssl.org/

You will need editing rights on your httpd.conf. Here are the changes we made in order to get things working:

<Directory />
   SSLVerifyClient optional_no_ca
   SSLVerifyDepth 1
</Directory>

Note: SSLCACertificateFile is not set so self signed certificates are not checked against the trusted CAs configured on the server.

SSLOptions +StdEnvVars
SSLOptions +ExportCertData

The following code should be able to print out diagnostic information:

print_r($_SERVER);
print_r(openssl_x509_parse($_SERVER[SSL_CLIENT_CERT]))

An example can be seen here: https://foaf.me/testSSL.php

If you wish to exlude specific files on you web server from requesting a Client Certificate add the following to the .htaccess file in the appropriate directory.

<Files filename>
   SSLVerifyClient none
</Files>

http://www.apache-ssl.org/

http://www.modssl.org/docs/2.1/ssl_reference.html