The following shows how to configure the Apache web server software (httpd) to require the use of internal X.509 certificates generated for the eToken for authentication to the site via SSL/TLS Client Authentication.
- Obtain the root CA certificate in PEM format – shown below. You can do this by exporting the root CA certificate found on the eToken.
—–BEGIN CERTIFICATE—–
<base64 encoded>
—–END CERTIFICATE—–.
- Similarly, obtain the intermediate CA certificate in PEM format. You can do this by exporting the intermediate CA certificate found on the eToken.
- Find the location of the CA cert bundle that is listed under the ssl.conf directive: SSLCACertificateFile and append the root certificate obtained above to this file.
- Find the location of the bundle file that is listed under the ssl.conf directive: SSLCertificateChainFile and append the intermediate CA certificate obtained above to this file.
- Create an Apache config file as follows: /etc/httpd/conf.d/x509.conf with the following content:
<Location /x509>
SSLVerifyClient require
SSLVerifyDepth 5
SSLOptions +StdEnvVars +ExportCertData
</Location>
- Restart the httpd daemon.
- Test on the client browser by using the following URL:
With the eToken plugged in, you should be prompted to enter the eToken password.
Check the Apache ssl_howto under Client Authentication for more information.