Index: docs/manual/mod/mod_ssl.xml
===================================================================
--- docs/manual/mod/mod_ssl.xml	(revision 1657127)
+++ docs/manual/mod/mod_ssl.xml	(working copy)
@@ -86,6 +86,7 @@
 <tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
 <tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
+<tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td>   <td>string</td>    <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr>
 <tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
 <tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
 <tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
Index: modules/ssl/ssl_engine_vars.c
===================================================================
--- modules/ssl/ssl_engine_vars.c	(revision 1657127)
+++ modules/ssl/ssl_engine_vars.c	(working copy)
@@ -47,6 +47,7 @@
 static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
 static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
 static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
 static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
@@ -435,6 +436,9 @@
         sk = SSL_get_peer_cert_chain(ssl);
         result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
     }
+    else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
+        result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
+    }
     else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
         result = ssl_var_lookup_ssl_cert_verify(p, c);
     }
@@ -782,6 +786,37 @@
     return result;
 }
 
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
+{
+    char *result;
+    X509 *xs;
+
+    ASN1_INTEGER *serialNumber;
+
+    if (!(xs = SSL_get_peer_certificate(ssl))) {
+        return NULL;
+    }
+
+    result = NULL;
+
+    serialNumber = X509_get_serialNumber(xs);
+    if (serialNumber) {
+        X509_NAME *issuer = X509_get_issuer_name(xs);
+        if (issuer) {
+            BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
+            char *decimal = BN_bn2dec(bn);
+            result = apr_pstrcat(p, "{ serialNumber ", decimal,
+                    ", issuer rdnSequence:\"",
+                    SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+            OPENSSL_free(decimal);
+            BN_free(bn);
+        }
+    }
+
+    X509_free(xs);
+    return result;
+}
+
 static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
 {
     char *result;
Index: modules/ssl/ssl_engine_kernel.c
===================================================================
--- modules/ssl/ssl_engine_kernel.c	(revision 1657127)
+++ modules/ssl/ssl_engine_kernel.c	(working copy)
@@ -1136,6 +1136,7 @@
     "SSL_CLIENT_I_DN",
     "SSL_CLIENT_A_KEY",
     "SSL_CLIENT_A_SIG",
+    "SSL_CLIENT_CERT_RFC4523_CEA",
     "SSL_SERVER_M_VERSION",
     "SSL_SERVER_M_SERIAL",
     "SSL_SERVER_V_START",