How to configure Apache to use SSL Client Authentication

apache Apr 21, 2022

SSL Client Authentication is a process by which a server checks client provided certificate to make an SSL connection. If the client certificate is trusted, then a successful SSL connection is made with server. Else client is denied access to the website.

This is useful when you want only specific clients/people to access your website even by keeping your website public. You can add the SSL Client Authentication in location block as well for Apache to restrict specific paths to allow only SSL Authorized users.
Here are the steps to configure this on Apache server


Apache installed with SSL Module enabled

sudo apt install apache2 -y
a2enmod ssl
systemctl restart apache2

Generating CA's and Server Certificates:

openssl req -newkey rsa:2048 -nodes -keyform PEM -keyout selfsigned-ca.key -x509 -days 3650 -outform PEM -out selfsigned-ca.crt

Create the SSL server's private key:

openssl genrsa -out selfsigned.key 2048

Create the Apache server CSR:

openssl req -new -key selfsigned.key -out selfsigned.csr

Sign the Apache server CSR:

openssl x509 -req -in selfsigned.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 100 -days 365 -outform PEM -out selfsigned.crt

Apache configuration:
Add the below lines to your Apache configuration to test SSL

SSLCertificateFile "/path/to/selfsigned.crt”
SSLCertificateKeyFile "path/to/selfsigned.key”

Check if SSL works by opening website URL in browser/using curl

Begin Mutual Authentication:
Add the below lines to your Apache configuration virtual host for which you want to create SSL Client Authentication

SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile /path/to/cert/selfsigned-ca.crt

Creating Client Certificates:

Generate the client's private key:

openssl genrsa -out selfsigned-client.key 2048

Create the client CSR:

openssl req -new -key selfsigned-client.key -out selfsigned-client.csr

Sign the client CSR:

openssl x509 -req -in selfsigned-client.csr -CA selfsigned-ca.crt -CAkey selfsigned-ca.key -set_serial 101 -days 365 -outform PEM -out selfsigned-client.crt

Bundle the client's certificate and client's key into a p12 pack:

openssl pkcs12 -export -inkey selfsigned-client.key -in selfsigned-client.crt -out selfsigned-client.p12

Restart Apache

systemctl restart apache2

Copy the p12 certificate to client machine and install it. You can either install the certificate for whole machine or import only for specific browser the end-user uses.

Now open the website and only people who have client certificate signed by server are allowed to authenticate via SSL and access it.

Use the above commands to generate, sign as many as client certificates needed