In our reverse proxy, we have a virtual host serving more than one Location.
Both locations require client certificate. SSLCACertificateFile includes all root CAs trusted by both locations.
So, in Location2 I would like to allow access only to certificates where the chain is:
CLIENT_CERT
\_ INTERMEDIATE_CERT (Issuer)
\_ ROOT_CA (issuer's Issuer) <-- can I access this with SSLRequire?
QUESTION: is there a way to control access by the root CA that is on top of the chain?
I tried SSLRequire but it seems I can't access the root cert, only the client cert and the intermediate (issuer) using SSL_CLIENT_I_DN.
I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_1} and _2 but only the intermediate is logged in _1, nothing is logged in _2.
It seems the only way to do this is splitting location2 to another virtual host where I trust only the required root CA using SSLCACertificateFe would prefer to avoid that, we don't want to change the web service endpoint (both locations are web services).
Here's what I was trying:
<VirtualHost ws.my.domain>
SSLCACertificateFile bundle.crt
VerifyClient require
SSLVerifyDepth 3
<Location /location1>
...
</Location>
<Location /location2>
VerfiyClient require
SSLRequire %{SSL_CLIENT_CERT_CHAIN_1} == file("root1.pem")
...
</Location>
</VirtualHost>
I appreciate
any help,
Felipe
