= Using SSL Client Certificates to log into Trac = 

== Set up your SSL PKI ==
I will not explain in detail how to set up SSL for Apache. There are a lot of good step-by-step guides out there that can help you in this:

 * In my opinion the best guide is this one: http://www.securityfocus.com/infocus/1818
 * The official apache mod_ssl documentation can be found here: http://httpd.apache.org/docs/2.2/ssl/

I'll assume that you have the following by now:

 * a certificate for your Trac web server
 * client certificates for your users (already installed in their browsers)

== How to configure mod_ssl ==
Here are the most important apache directives.

Server configuration (httpd.conf):

{{{
<IfModule mod_ssl.c>
...
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /your/root/certificate.pem
...
</IfModule>
}}}


Virtual host configuration:
{{{
<VirtualHost xxx.xxx.xxx.xxx:443>
  ...
  SSLEngine on
  ...

  <Directory />
    # We have to require SSL for the whole vhost to enforce
    # client certificate authentication.
    SSLRequireSSL
    ...
  </Directory>

  <Location /trac>
    # Here comes your trac CGI/FCGI/mod_python configuration
    ...
  </Location>

  <Location /login>
    # We do NOT use basic authentication here. Rather than setting REMOTE_USER
    # through apache's HTTP authentication mechanisms we'll set it directly as
    # the client certificate's common name.
    SSLUserName SSL_CLIENT_S_DN_CN
  </Location>

  ...
</VirtualHost>
}}}