Is it possible to automatically select correct client side certificate?

Question

I have configured an Apache httpd website with SSL client side certificates so that only users who have installed the correct certificate in their web browsers can access the website.

If there is only one client side certificate installed the web browser will automatically select it (it is not the default, but it can be configured somewhere in the settings dialog). But if a user has more than one certificate installed, the web browser presents a list of certificates and the user has to pick the right one to continue.

The question is: Is there a way to configure httpd to send a hint so that the web browser can automatically select the required certificate?

Answer 1

The SSL (TLS) protocol only allows the server to specify two constraints on the client certificate:

1. The type of certificate (RSA, DSA, etc.)
2. The trusted certificate authorities (CAs) that signed the client certificate

You can use "openssl s_client" to see which CAs your Apache server trusts for client certs. I do not know how to configure Apache to change that list (sorry), but I bet there is a way. So if you can limit the list to (say) your own organization's CA alone, then you will have done all you can to allow a Web browser to select the client cert automatically.

As Eugene said, whether the browser actually does so is up to the particular browser.

Answer 2

I'd say that as selection of the certificate is a client-side task, there's no definite way to force the client use this or that certificate from the server side.

Answer 3

In addition to what @Nemo and @Eugene said, by default, Apache Httpd will send the list of CAs it gets from its SSLCACertificateFile or SSLCACertificatePath configuration directives.

However, you can force it to send a different list in certificate_authorities using the SSLCADNRequestFile or SSLCADNRequestPath directives and pointing them to another set of certificates. Only the Subject DN of these certificates is used (and send in the list). If you want to force certain names, you can even self-sign these certificates with whichever name you want. I've tried this (in conjunction with SSLVerifyClient optional_no_ca, and you can get clients to send certificates for CA certificates that the server doesn't actually have. (This isn't necessarily useful, but it works.)