HS 2.0 server: Document client certificate related Apache configuration

author Jouni Malinen <jouni@codeaurora.org>

Mon, 3 Dec 2018 22:15:04 +0000 (00:15 +0200)

committer Jouni Malinen <j@w1.fi>

Mon, 3 Dec 2018 22:34:10 +0000 (00:34 +0200)
author Jouni Malinen <jouni@codeaurora.org>
Mon, 3 Dec 2018 22:15:04 +0000 (00:15 +0200)
committer Jouni Malinen <j@w1.fi>
Mon, 3 Dec 2018 22:34:10 +0000 (00:34 +0200)
diff --git a/hs20/server/hs20-osu-server.txt b/hs20/server/hs20-osu-server.txt

index 70f13135e80a47b682a94be5ce67a73780861a6d..22478ad9d2cbf06973dbdeb0d09b20147fad7049 100644 (file)
--- a/hs20/server/hs20-osu-server.txt
+++ b/hs20/server/hs20-osu-server.txt
@@ -228,12 +228,17 @@ Add following block just before "SSL Engine Switch" line":
                  Options Indexes MultiViews FollowSymLinks
                  AllowOverride None
                 Require all granted
+               SSLOptions +StdEnvVars
          </Directory>
  
  Update SSL configuration to use the OSU server certificate/key.
  They keys and certs are called 'server.key' and 'server.pem' from
  ca/setup.sh.
  
+To support subscription remediation using client certificates, set
+"SSLVerifyClient optional" and configure the trust root CA(s) for the
+client certificates with SSLCACertificateFile.
+
  Enable default-ssl site and restart Apache2:
    sudo a2ensite default-ssl
    sudo a2enmod ssl
author	Jouni Malinen <jouni@codeaurora.org>
	Mon, 3 Dec 2018 22:15:04 +0000 (00:15 +0200)
committer	Jouni Malinen <j@w1.fi>
	Mon, 3 Dec 2018 22:34:10 +0000 (00:34 +0200)