• United States

Authenticating Web visitors with SSL

Jul 07, 20031 min
ApacheAuthenticationEnterprise Applications

Our Web sites run on Apache/mod_ssl servers hosted by our ISP. We want to authenticate Web site visitors by using personal digital certificates instead of a basic logon dialog box. Can we configure Apache to require client certificates at the directory level? Can the site then use digital IDs issued by certificate authorities such as RSA Security and Thawte, or do we have to issue personal certificates to our users from our site?

Although performance is better when you place the authentication directives in the server’s main configuration file, Apache with mod_ssl can be configured to look for personal digital certificates at the directory level.

The same AuthConfig override privileges apply to both, so you should be able to require client certificates if you can make basic logon authentication changes on the server. Edit your .htaccess file to include the following: SSLRequireSSL; SSLVerifyClient require; and SSLVerifyDepth 10.

This tells Apache to drop non-SSL connections and request client certificates for authenticating SSL requests below the protected directory.

Web site visitors can use personal certificates issued by any certificate authority trusted by your Web server.