How to configure Apache to send client certificate's partial Serial Number/DN?

How to configure Apache to send client certificate's partial Serial Number/DN?

book

Article ID: KB0094290

calendar_today

Updated On:

Products Versions
TIBCO API Exchange -
Not Applicable -

Description

Resolution:

As documented by Apache:


- The variable name SSL_CLIENT_S_DN carries the complete DN of the client certificate
- The variable name SSL_CLIENT_S_DN_x509 can carry a component of client's subject DN.
Here is the excerpt on the possible values for x509:
---------------------
x509 specifies a component of an X.509 DN; one of C,ST,L,O,OU,CN,T,I,G,S,D,UID,Email.
---------------------

Here are the directives in Apache:
>to send the complete DN:
    RequestHeader add CAIssuer "%{SSL_CLIENT_I_DN}s"
    RequestHeader add SerialNumber "%{SSL_CLIENT_S_DN}s"

>to send the CN component only:
    RequestHeader add CAIssuer "%{SSL_CLIENT_I_DN}s"
    RequestHeader add SerialNumber "%{SSL_CLIENT_S_DN_CN}s"


Here are the corresponding sample entries in PartnerData.cfg in 2.x version:
partner_FULL_JOHN|FULL_JOHN|||||CN=John,OU=VIP,O=ABC Book Club,L=Palo Alto,ST=California,C=US|CN=CA,OU=Security,O=TIBCOSoftware,L=Palo Alto,ST=California,C=US||false||
partner_CN_JOHN|CN_JOHN|||||John|CN=CA,OU=Security,O=TIBCOSoftware,L=Palo Alto,ST=California,C=US||false||

Issue/Introduction

How to configure Apache to send client certificate's partial Serial Number/DN?

Environment

Product: TIBCO API Exchange Version: ALL OS: All Supported Operating Systems --------------------

Additional Information

Apache documentation, mod_ssl chapter:
https://httpd.apache.org/docs/current/mod/mod_ssl.html
Powered by Wolken Software