= Using SSL Client Certificates to log into Trac =
== Set up your SSL PKI ==
I will not explain in detail how to set up SSL for Apache. There are a lot of good step-by-step guides out there that can help you in this:
* In my opinion the best guide is this one: http://www.securityfocus.com/infocus/1818
* The official apache mod_ssl documentation can be found here: http://httpd.apache.org/docs/2.2/ssl/
I'll assume that you have the following by now:
* a certificate for your Trac web server
* client certificates for your users (already installed in their browsers)
== How to configure mod_ssl ==
Here are the most important apache directives.
Server configuration (httpd.conf):
...
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /your/root/certificate.pem
...
Virtual host configuration:
...
SSLEngine on
...
SSLRequireSSL
...
# Rather than setting REMOTE_USER through basic authentication
# we'll set it directly as the client's certificate's common name.
SSLUserName SSL_CLIENT_S_DN_CN