Client certificate environment variables

Client certificate environment variables are used to access client certificate information when client authentication is enabled. If client authentication is not enabled, references to these values are empty.


Variables

The following table provides a list of client certificate environment variables and their descriptions and values.

SSL client certificate environment variable Description Value
SSL_CLIENT_C Contains the client certificate country String
SSL_CLIENT_CERTBODY Contains the client certificate This value is the unformatted body of the client certificate, if a certificate was provided by the client
SSL_CLIENT_CERTBODYLEN Contains the length of the client certificate Integer
SSL_CLIENT_CN Contains the client certificate common name String
SSL_CLIENT_DN Contains the distinguished name from the client certificate String
SSL_CLIENT_EMAIL Contains the client certificate e-mail String
SSL_CLIENT_IC Contains the country name of the client certificate issuer String
SSL_CLIENT_ICN Contains the common name of the client certificate issuer String
SSL_CLIENT_IDN Contains the distinguished name of the client certificate issuer String
SSL_CLIENT_IEMAIL Contains the e-mail address of the client certificate issuer String
SSL_CLIENT_IL Contains the locality of the client certificate issuer String
SSL_CLIENT_IO Contains the organization name of the client certificate issuer String
SSL_CLIENT_IOU Contains the organizational unit name of the client certificate issuer String
SSL_CLIENT_IPC Contains the postal code of the client certificate issuer String
SSL_CLIENT_IST Contains the state or province of the client certificate issuer String
SSL_CLIENT_L Contains the client certificate locality String
SSL_CLIENT_NEWSESSIONID Indicates whether this session ID is new String. This value must be TRUE or FALSE.
SSL_CLIENT_O Contains the client certificate organization String
SSL_CLIENT_OU Contains the client certificate organizational unit String
SSL_CLIENT_PC Contains the client certificate postal code String
SSL_CLIENT_SERIALNUM Contains the client certificate serial number String
SSL_CLIENT_SESSIONID Contains the session ID String
SSL_CLIENT_ST Contains the client certificate state or province String

The following table provides a list of client certificate environment variables related to the Subject Alternative Name (SAN) TLS certificate extension.

SSL client certificate environment variable Description Value
SSL_CLIENT_SAN_DNSNAME SAN extension of type DNSNAME comma-separated list
SSL_CLIENT_SAN_IPADDRESS SAN extension of type IPADDRESS comma-separated list
SSL_CLIENT_SAN_RFC822NAME SAN extension of type RFC822NAME (email address) comma-separated list
SSL_CLIENT_SAN_URI SAN extension of type URI comma-separated list
SSL_CLIENT_SAN_DIRECTORYNAME SAN extension of type DIRECTORYNAME comma-separated list
SSL_CLIENT_SAN_DNSNAME_n SAN extension of type DNSNAME string (nth-value of extension, beginning with _0)
SSL_CLIENT_SAN_IPADDRESS_n SAN extension of type IPADDRESS string (nth-value of extension, beginning with _0)
SSL_CLIENT_SAN_RFC822NAME_n SAN extension of type RFC822NAME (email address) string (nth-value of extension, beginning with _0)
SSL_CLIENT_SAN_URI_n SAN extension of type URI string (nth-value of extension, beginning with _0)
SSL_CLIENT_SAN_DIRECTORYNAME_n SAN extension of type DIRECTORYNAME string (nth-value of extension, beginning with _0)

To use the TLS client certificate SAN values in a more flexible manner, any Apache directive that accepts an "apache expression" can call a list-returning function "SSL_CLIENT_SAN" with a parameter naming one of the SAN types (DNSNAME, IPADDRESS, RFC822ANAME, URI, DIRECTORYNAME) as shown:

Require expr "'example.com' -in SSL_CLIENT_SAN('DNSNAME')"

Expressions in Apache HTTP Server: http://publib.boulder.ibm.com/httpserv/manual24/expr.html


Related concepts


Related reference