From August 19th 2020, SECTIGO issues SSL certificates with a maximum lifetime of 398 days (13 months) as specified by CA/Browser consortium. SSL certificates with a longer lifetime must be re-issued annually (free of charge). You'll receive reminders via e-mail. SSL certificates issued before August 19th 2020 remain valid until their planned expiry date. Code Signing & S/MIME certificates are not affected and remain valid until their planned expiry date.

SSL certificate based client authentication / mutual SSL authentication

SSL certificate based client authentication

Settings Apache:

SSLEngine on
SSLCertificateFile /home/frank/ssl/.b-nm.at.crt
SSLCertificateKeyFile /home/frank/ssl/.b-nm.at.key
SSLCertificateChainFile /home/frank/ssl/RapidSSL_CA_bundle.neu.ct.pem
SSLCACertificateFile /home/frank/ssl/.b-nm.at.crt
#SSLVerifyClient require
#SSLVerifyClient optional
SSLVerifyClient optional_no_ca
SSLVerifyDepth 4
SSLOptions +StdEnvVars +ExportCertData

Creating the Client Certificate:

cp /etc/ssl/openssl.cnf ./openssl-for-signing-csrs.cnf
#countryName_default auf "AT" setzen ...
#http://stackoverflow.com/questions/16659197/how-to-sign-a-clients-csr-with-openssl#16675058
#80,82c80,82
#< countryName = match
#< stateOrProvinceName = match
#< organizationName = match
#---
#> countryName = supplied oder optional
#> stateOrProvinceName = supplied oder optional
#> organizationName = supplied oder optional
mkdir -p demoCA/newcerts
touch demoCA/index.txt
echo 1001 > demoCA/serial
openssl genrsa -out client.key 4096 -sha256
openssl req -new -key client.key -out client.csr
openssl ca -cert .b-nm.at.crt -keyfile .b-nm.at.key -out client.crt -in client.csr -config openssl-for-signing-csrs.cnf
openssl pkcs12 -export -inkey client.key -name "Frank" -in client.crt -certfile .b-nm.at.crt -out client.p12


#PHP: ssltest.php
=====================
<pre><?php
        print_r($_SERVER);
?></pre>



References: 
https://httpd.apache.org/docs/trunk/da/ssl/ssl_howto.html#accesscontrol
http://www.phpgangsta.de/client-zertifikate-als-sicherer-login-ersatz
http://cweiske.de/tagebuch/ssl-client-certificates.htm


 

Was this answer helpful?

 Print this Article