[Macpartners] setting up PHP authentication via client certificates

Jonathan Reed jdreed at MIT.EDU
Fri Apr 6 12:40:44 EDT 2007 

The MIT CA from the certificates page cannot be used to verify client  
certificates.  You'll need mitCAclient.pem from /mit/apache-ssl/ 
certificates/.  That should be used as the SSLCACertificateFile.

You'll also need to tell mod_ssl to export the environment  
variables.  I believe the syntax is:

SSLOptions +StdEnvVars

Note that it does take some server overheard to populate those  
variables, so you'll only want to enable that for the specific  
Directory that the scripts reside in.

-Jon


On Apr 6, 2007, at 12:33 PM, Josh Aresty wrote:

> Hi all,
>   I was wondering if anyone here can point me to a good reference  
> on how to configure Apache, OpenSSL, and client certificates at MIT.
>
> I've been to http://web.mit.edu/apache-ssl/www/README.certificate   
> and to
> http://nazzim.mit.edu/developers/article.php?story=20051221094844208
>
> and while I have been able to get mod_ssl up and running using the  
> OS X server certificates interface, phpinfo() still does not show  
> the SSL_DN_Client_Email or other SSL variables I would expect to  
> see.  I don't completely understand how certificates work, and I  
> prefer to use the OS X server interfaces for Apache because OS X  
> server has a quirky way of choosing how to organize sites (and that  
> makes me nervous to move things around too much).
>
> The section of the apache configuration that seems to be concerned  
> with this says:
>
>         <IfModule mod_ssl.c>
>                 SSLEngine On
>                 SSLLog "/var/log/httpd/ssl_engine_log"
>                 SSLCertificateFile "/System/Library/OpenSSL/certs/ 
> dev-llarc.pem"
>                 SSLCertificateKeyFile "/System/Library/OpenSSL/ 
> private/server_key.pem"
>                 SSLCipherSuite "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM: 
> +LOW:!SSLv2:+EXP:+eNULL"
>                 SSLCACertificateFile "/System/Library/OpenSSL/certs/ 
> mitca.crt"
>                 SSLCertificateChainFile "/System/Library/OpenSSL/ 
> certs/mitca.crt"
>         </IfModule>
>
> Can anyone offer me insight?  The dev-llarc file is the file I  
> received after generating the request, and the server_key is the  
> other file that was generated before (and I did not send it to  
> mitcert at mit.edu). mitca.crt is from the MIT certificates page.
>
> I would also appreciate chatting on the phone, or in person if you  
> have the time.  Thanks.
>
> Best,
> ~Joshua Aresty
> MIT LLARC Programmer/Analyst
> 3-4598
>

Jonathan Reed
Client Support Services
Information Services & Technology
Massachusetts Institute of Technology
jdreed at mit.edu

More information about the Macpartners mailing list