You https vhost could looks like: <Virtualhost TEMPLATE_IP:443> ServerName TEMPLATE_SERVERNAME.example.com DocumentRoot /export/public ErrorLog /usr/apache/logs/www.example.com_error_log CustomLog "|/usr/apache/bin/rotatelogs RewriteEngine On RewriteOptions inherit DeflateBufferSize 8096 DeflateFilterNote ratio DeflateMemLevel 9 <IfModule mod_deflate.c> SetOutputFilter DEFLATE BrowserMatch ^Mozilla/4 gzip-only-text/html BrowserMatch ^Mozilla/4\.0[678] no-gzip BrowserMatch \bMSIE !no-gzip !gzip-only-text/html # Don't compress images or txt SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png|txt|lx2|pdf)$ no-gzip dont-vary </IfModule> <Directory "/export/public"> Options FollowSymLinks AllowOverride None Order allow,deny Allow from all </Directory> SSLEngine On SSLCertificateFile /usr/apache/ssl/certs/www.example.com/server.crt SSLCertificateKeyFile /usr/apache/ssl/certs/www.example.com/server.key SSLCACertificateFile /usr/apache/ssl/certs/intermediate.crt </VirtualHost> -----Original Message----- From: Tom Browder [mailto:tom.browder@xxxxxxxxx] Sent: 20 July 2012 03:22 To: users@xxxxxxxxxxxxxxxx Subject: Re: SSL Cllient Certificate Requirements Question On Thu, Jul 19, 2012 at 7:34 PM, Daniel Ruggeri <DRuggeri@xxxxxxxxxxx> wrote: > On 7/19/2012 10:11 AM, Tom Browder wrote: >> I have a single server with a multiple vhost SSL certificate from a >> recognized CA. All vhosts are using SSL/TLS successfully and >> exclusively with HSTS enforcement. >> >> I would now like to add SSL client certificates for individual vhost >> private directory access and plan to do so using a self-generated, >> self-signed CA certificate (self-CA) set up, with one certificate per >> authorized user and vhost. My question for my set up is this: >> >> Does the client browser have to import anything other than its >> assigned SSL client certificate? ... > Since your servers are signed by a known CA, the browsers will only need > to have a private key/certificate imported to function. In your httpd > vhost, you will place your self-signed CA certificate (the one that > signs the client certs) in the file pointed to by SSLCACertificateFile. Thanks, Daniel! Best regards, -Tom --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ ______________________________________________________________________ This email has been scanned by the Symantec Email Security.cloud service. For more information please visit http://www.symanteccloud.com ______________________________________________________________________ --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx