I'm relatively new the the world of SSL and mod_ssl. I'm trying to
establish several secure intranet sites in our company which will use Client
Certificates for authenticating users.
I've set up the Microsoft Certificate Server as my root Certificate
Authority (CA) for our intranet. Now I am trying to get Apache set up to
work with it, but I don't have any ideal whether I'm taking the right
approach. I followed the directions to generate a certificate request for
my Apache web server using the 'openssl' command, and I submitted it to the
MS Certificate Server which generated a certificate. I installed the
certificate and the certificate key on my Apache web server. Our Apache web
server uses name-based Virtual Hosts (one IP address which gets mapped to
several server names). Each host is defined in the Apache 'httpd.conf' file
within the VirtualHost tags - e.g.:
<VirtualHost 111.111.22.33:80>
# General setup for the virtual host
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /apps/websvr/htdocs
...
</Virtual Host>
After many tries, I can't seem to get the right configuration to work. I
would like to restrict access to certain hosts where only a secure (HTTPS)
connection will be allowed, and only clients possessing certificates issued
by my MS Certificate Server would allow them to gain entry. Also, there are
some other sites which will allow anonymous access for part of the site, but
certain directories will need to have restricted access (like those I
mentioned in the previous sentence). I'd appreciate ANY help you can
provide. Here is the configuration for one of the host that isn't working
properly:
## Non-SSL Virtual Host Context
<VirtualHost 111.111.22.33:80>
# General setup for the virtual host
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /apps/websvr/htdocs
ServerName myhost.mydomain.com
ErrorLog logs/test-error_log
TransferLog logs/access_log
</Virtual Host>
## SSL Virtual Host Context
<IfDefine SSL>
<VirtualHost 111.111.22.33:443>
# General setup for the virtual host
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /apps/websvr/htdocs
ServerName myhost.mydomain.com
ErrorLog logs/test-error_log
TransferLog logs/access_log
SSLEngine on
SSLCertificateFile /apps1/websvr2/apache/v1.3.19/conf/ssl.crt/test.crt
SSLCertificateKeyFile
/apps1/websvr2/apache/v1.3.19/conf/ssl.key/test.key
SSLVerifyClient none
<Location /test/secure>
SSLOptions +StrictRequire
SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 10
SSLRequire %{SSL_CLIENT_I_DN_O} eq "MyCorp Inc"
</Location>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /apps1/websvr2/apache/v1.3.19/logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
</IfDefine>
Many Thanks,
Allen
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
