L
ast
message
I
sent
had
formatting, I'm sorry.
Hi,
In our reverse proxy, we have a virtual host serving more than one Location.
Both locations require client certificate. SSLCACertificateFile includes
all root CAs trusted by both locations.
So, in Location2 I would like to allow access only to certificates where
the chain is:
CLIENT_CERT
\_ INTERMEDIATE_CERT (Issuer)
\_ ROOT_CA (issuer's Issuer) <-- can I access this with SSLRequire?
QUESTION: is there a way to control access by the root CA that is on top of
the chain?
I tried SSLRequire but it seems I can't access the root cert, only the
client cert and the intermediate (issuer) using SSL_CLIENT_I_DN.
I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_1} and _2 but only the
intermediate is logged in _1, nothing is logged in _2.
It seems the only way to do this is splitting location2 to another virtual
host where I trust only the required root CA using SSLCACertificateFe would
prefer to avoid that, we don't want to change the web service endpoint
(both locations are web services).
Here's what I was trying:
<VirtualHost ws.my.domain>
SSLCACertificateFile bundle.crt
VerifyClient require
SSLVerifyDepth 3
<Location /location1>
...
</Location>
<Location /location2>
VerfiyClient require
SSLRequire %{SSL_CLIENT_CERT_CHAIN_1} == file("root1.pem")
...
</Location>
</VirtualHost>
I appreciate
any help,
Felipe
