######################################################################
#
# Setting up an Apache website to use signed certificates for client
# authentication.  This works for me, your milage may vary.  
#
########################################################################
#
# Elsewhere in the configuration file, you'll need to set the following
# directives:
#
# This file contains the certificate authority certificates to trust.  I
# have my own private CA certificate here so Apache will accept the client
# certificates being presented by the browswer.
#
SSLCACertificateFile  /etc/httpd/conf/ssl.calist
#
# I also have this log format defined so it will log who refereced what
# page.  It's not critical, but I find it useful.
#
LogFormat "%h %l \"%{SSL_CLIENT_S_DN}x\" %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" sslcombined
#
# The rest is verbatim from my server ... 

# =====================================================================
# A non-secure version of the site

<VirtualHost 66.252.224.242:80>
  ServerName		secure.conman.org
  ServerAdmin		sean@conman.org
  DocumentRoot		/home/spc/web/sites/secure.conman.org/htdocs
  ScriptAlias		/cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
  CustomLog		/home/spc/web/logs/secure.conman.org combined
  UseCanonicalName	on

# So I can serve up the CA certificate

  AddType		text/plain .pem

  <Directory /home/spc/web/sites/secure.conman.org/htdocs>
    Options		All
    AllowOverride	None
  </Directory>

</VirtualHost>

# ====================================================================
# The secure version of the site

<VirtualHost 66.252.224.242:443>
  ServerName		secure.conman.org
  ServerAdmin		sean@conman.org
  DocumentRoot		/home/spc/web/sites/secure.conman.org/s-htdocs
  ScriptAlias		/cgi-bin/ /home/spc/web/sites/secure.conman.org/cgi-bin/
  CustomLog		/home/spc/web/logs/s-secure.conman.org sslcombined
  UseCanonicalName	on

# I copied this from the default Apache conf file (modifed slightly to
# disallow SSHv2).  I did this to have everything I needed pretty much in
# one file, instead of having to play around with two files.  It's
# technically not required here ... 

  SSLEngine		on
  SSLCipherSuite	ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:-SSLv2:+EXP
  SSLProtocol		all -SSLv2
  SSLCertificateFile	/home/spc/web/sites/secure.conman.org/server.crt
  SSLCertificateKeyFile	/home/spc/web/sites/secure.conman.org/server.key

  <Files ~ "\.(cgi|shtml|phtml|php3?)$">
  	SSLOptions	+StdEnvVars
  </Files>

# Allow our cgi scripts to have access to information about the SSL
# connection.

  <Directory /home/spc/web/sites/secure.conman.org/cgi-bin>
  	Options		-Indexes
  	SSLOptions	+StdEnvVars
  </Directory>

  <Directory /home/spc/web/sites/secure.conman.org/s-htdocs>
    Options		All
    AllowOverride	None
  </Directory>

# The stuff to protect a directory and require a client certificate to
# access.  Here, I make sure that the Organization is Conman Laboratories
# (i.e. my CA) and that the Organizational Unit is "Clients".  You can
# specify any field from the certificate here.

  <Directory /home/spc/web/sites/secure.conman.org/s-htdocs/library>
    SSLRequireSSL
    SSLRequire	%{SSL_CLIENT_S_DN_O}  eq "Conman Laboratories"	\
            and %{SSL_CLIENT_S_DN_OU} eq "Clients"
    SSLVerifyClient	require
    SSLVerifyDepth	10
  </Directory>

# More stuff copied from the default Apache file

  SetEnvIf	User-Agent	".*MSIE.*" 		\
		nokeepalive ssl-unclean-shutdown	\
		downgrade-1.0 force-response-1.0

</VirtualHost>