Validating SSL clients using a list of authorised certificates instead of a Certificate Authority

Posted by Gavin Brown on Server Fault See other posts from Server Fault or by Gavin Brown
Published on 2010-04-23T17:41:52Z Indexed on 2010/04/23 17:43 UTC
Read the original article Hit count: 717

Filed under:
|
|
|

Is it possible to configure Apache (or any other SSL-aware server) to only accept connections from clients presenting a certificate from a pre-defined list? These certificates may be signed by any CA (and may be self-signed).

A while back I tried to get client certificate validation working in the EPP system of the domain registry I work for. The EPP protocol spec mandates use of "mutual strong client-server authentication". In practice, this means that both the client and the server must validate the certificate of the other peer in the session.

We created a private certificate authority and asked registrars to submit CSRs, which we then signed. This seemed to us to be the simplest solution, but many of our registrars objected: they were used to obtaining a client certificate from a CA, and submitting that certificate to the registry. So we had to scrap the system. I have been trying to find a way of implementing this system in our server, which is based on the mod_epp module for Apache.

© Server Fault or respective owner

Related posts about ssl

Related posts about ssl-certificate