Enabling Client Certificate Authentication

  1. Go to the following directory: cd /etc/apache2/sites-enabled/.
  2. For the required host in nano openxpki.conf, add SSLVerifyClient require.

    For example, if you are using port 443, modify the VirtualHost section to:

    <VirtualHost *:443>
SSLVerifyClient require
</VirtualHost>
  3. Remove the SSLVerifyClient optional_no_ca command.
  4. Save the file, and then type quit to exit from MySQL.
  5. Go to the following directory: cd /etc/openxpki/config.d/realm/democa/est.
  6. Open default.yaml and democa.yaml.
    Note: If the label is different, then change the YAML file.
  7. Run the following command:

    vi default.yaml

  8. In the authorized_signer section, add the following: 
    authorized_signer:
rule2:
			subject: CN=,.

    For example, if your client certificate subject name is test123, then add the following in the authorized_signer section:

    authorized_signer:
rule1:
		# Full DN	
		subject: CN=.+:pkiclient,.
rule2:	
		subject: CN=test123,.*
  9. Save the file, and then type quit to exit MySQL.
  10. Restart the OpenXPKI service using openxpkictl restart .
  11. Restart the Apache service using service apache2 restart .