Configuring Mutual Authentication with Apache

Last updated: 2020-05-14 18:41:24

PDF

Configuration Process for Apache HTTPS Mutual Authentication

This document uses the third-party developer domain name www.example.com as an example. The following two cases may arise:

  • The third-party developer already has a certificate issued by an authoritative third party.

    • The developer prepares the certificate www.example.com.crt issued by and the private key www.example.com.key assigned by the authoritative third party for www.example.com. Note that the certificate must be issued by an authoritative third party, such as Topway or GlobalSign.
    • IM provides the developer backend with a CA certificate TencentQQAuthCA.crt, which is used to verify the certificate of the requesting party (IM).
    • Perform configuration by referring to the Reference for Apache HTTPS Mutual Authentication Configuration below.
  • The third-party developer sends an application to IM, requesting IM to issue a certificate for its domain name.

    • The developer configures the callback URL, such as www.example.com, in the console.
    • IM issues the certificate www.example.com.crt and assigns the private key www.example.com.key to the developer with the domain name www.example.com. The developer can download the certificate from the console.
    • IM provides the developer backend with a CA certificate TencentQQAuthCA.crt, which is used to verify the certificate of the requesting party (IM).
    • Perform configuration by referring to the Reference for Apache HTTPS Mutual Authentication Configuration below.

Reference for Apache HTTPS Mutual Authentication Configuration

  1. Copy www.example.com.crt, www.example.com.key, and TencentQQAuthCA.crt to the conf folder under the Apache installation directory.
  2. Modify the httpd.conf file. The reference configuration is as follows:
     SSLEngine on # Enables SSL
     SSLCertificateFile "/usr/local/apache2/conf/example.com.crt" # Certificate issued by Tencent to the third party
     SSLCertificateKeyFile "/usr/local/apache2/conf/example.com.key" # Private key paired with the certificate
     SSLCACertificateFile  "/usr/local/apache2/conf/TencentQQAuthCA.crt" # CA certificate authenticated by Tencent
     SSLVerifyClient require # Verify the request source