In our reverse proxy, we have a virtual host serving
more than one Location.
Both locations require client cert
ificate
.
SSLCACertificateFile includes all root CAs trusted by both locations.
So,
in Location2 I would like to allow access only to
certificates where
the chain is:
CLIENT_CERT
\_
INTERMEDIATE_CERT (Issuer) \_
ROOT_CA (issuer's I
ssuer) <-- can I access this with SSLRequire?
QUESTION:
is
there a way to
control access by the root CA that is on top of the chain?
I tried SSLRequire but it seems I can't access the root cert, only the client cert and the intermediate (issuer)
using SSL_CLIENT_I_DN
.
I tried to
use CustomLog and show
%{
SSL_CLIENT_CHAIN_1
}
and
_
2 but only the intermediate is logged in _1, nothing is logged in _2.
It seems
the only way
to do this is splitting
location2 to another virtual host where I trust only the required root CA
using SSLCACertificateFile
.
But w
e would prefer to avoid that
, we don't want to change the web service endpoint (both locations are web services)
.
Here's what I was trying:
<VirtualHost ws.my.domain>
SSLCACertificateFile bundle.crt
<Location /location1>
<Location /location2>
SSLRequire %{SSL_CLIENT_CERT_CHAIN_
1
} == file("root1.pem")
...
</Location>
</VirtualHost>
Thanks in advance for any help,
Felipe
