From d726f4da547e943216bb6ba8b79d51fc015e03e1 Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 4 Dec 2018 00:15:04 +0200 Subject: [PATCH] HS 2.0 server: Document client certificate related Apache configuration Signed-off-by: Jouni Malinen --- hs20/server/hs20-osu-server.txt | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt index 70f13135e..22478ad9d 100644 --- a/hs20/server/hs20-osu-server.txt +++ b/hs20/server/hs20-osu-server.txt @@ -228,12 +228,17 @@ Add following block just before "SSL Engine Switch" line": Options Indexes MultiViews FollowSymLinks AllowOverride None Require all granted + SSLOptions +StdEnvVars Update SSL configuration to use the OSU server certificate/key. They keys and certs are called 'server.key' and 'server.pem' from ca/setup.sh. +To support subscription remediation using client certificates, set +"SSLVerifyClient optional" and configure the trust root CA(s) for the +client certificates with SSLCACertificateFile. + Enable default-ssl site and restart Apache2: sudo a2ensite default-ssl sudo a2enmod ssl