Apache - Create and validate client certificates

Creating client certificates

  • Create the client key:
    # openssl genrsa -des3 -out garex.key 1024
  • Create the client request:
    # openssl req -new -key garex.KEY -out garex.CSR
    In the common name (CN) fill in your own name, for example "Martin Allert". For organisational unit you can fill in a department.
  • Sign the client certificate request and generate the certificate:
    # openssl ca -in garex.CSR -cert ../../CA/garexCA.CRT -keyfile \
    ../../CA/garexCA.KEY -out garex.CRT
  • Verify all data has been filled in correctly:
    # openssl x509 -in garex.CRT -text

Validating client certificates

How can I authenticate clients based on certificates if I know all my clients?
If you know all your users (i.e. you have a closed group of users), such as with an intranet, you can use a plain certificate authentication. The only thing you need to do is sign a client certificate with your own CA certificate ca.crt and then verify the client against the certificate.


# a client certificate that signs directly is required
# must be in ca.crt with CA certificate 
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile conf/ssl.crt/ca.crt

How can I authenticate my clients for a certain URL based on certificates, but give anonymous clients to the rest of the server?

To realise this use the per-directory reconfiguration property of http://httpd.apache.org/docs/2.0/mod/mod_ssl.html


SSLVerifyClient none 
SSLCACertificateFile conf/ssl.crt/ca.crt 

<Location /secure/area> 
SSLVerifyClient require 
SSLVerifyDepth 1



Our SSLCheck will examine your website's root and intermediate certificates for correctness and report any potential issues

point up