Choosing the level of client authentication

If you enable client authentication, the server validates clients by requesting a certificate from the client and verifying that is signed by a trusted certificate authority (CA) root certificate in the server key database.


About this task

For each virtual host, choose the level of client authentication:


Procedure

  1. Specify one of the following values in the configuration file on the SSLClientAuth directive, for each virtual host stanza . A virtual host stanza represents a section of the configuration file that applies to one virtual host.

    Value Description
    None The server requests no client certificate from the client.
    Optional The server requests, but does not require, a client certificate. If presented, the client certificate must prove valid.
    Required The server requires a valid certificate from all clients, returning a 403 status code if no certificate is present.
    Required_reset The server requires a valid certificate from all clients, and if no certificate is available, the server sends an SSL alert to the client. This enables the client to understand that the SSL failure is client-certificate related, and will cause browsers to re-prompt for client certificate information on subsequent access.

    For example, SSLClientAuth required.

    To use a certificate revocation list (CRL), add crl, as a second argument for SSLClientAuth. For example: SSLClientAuth required crl.

  2. Save the configuration file and restart the server.