Requiring a client certificate

If you want to secure your web site you can configure your apache2 server to require a client certificate. You do this by adding the following to options to the ssl host configuration:

SSLCACertificateFile /etc/ssl/private/CAcert.pem

SSLVerifyClient require
SSLVerifyDepth 10

To create a client certificate use the following commands

openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr

The create client.csr file has to be signd by your CA with the following command:

openssl x509 -req -days 365 -CA private/CAcert.pem -CAkey private/CAkey.pem -CAcreateserial -in client.csr -out client.crt

To create a PKCS#12 document from the client private key and the signed certificate:

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

The client.p12 file has to be imported by a browser to a access your server.