Help - How can I do a single sign on similar to CAcert using client certificates?
Firstly you need mod-ssl and apache setup (this is beyond the scope of this FAQ item and you will need to search on google etc for LAMP setup information). I recommend mod-ssl over apache-ssl because it means you need less resources to achieve the same result.
Once you have everything setup and working you will need to add lines similar to below to your apache.conf
<VirtualHost 127.0.0.1:443> SSLEngine on SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /etc/ssl/cacert.crt SSLCertificateFile /etc/ssl/certs/cacert.crt SSLCertificateKeyFile /etc/ssl/private/cacert.pem SSLOptions +StdEnvVars ServerName secure.cacert.org DocumentRoot /www </VirtualHost>
Please note, you will need to alter the paths, hostname and IP of the above example, which is just that an example! The SSLCACertificateFile directive is supposed to point to a file with the root certificate you wish to verify your client certificates against, for the CAcert website we obviously only accept certificates issued by our own website and use our root certificate to initially verify this.
Once you have everything working and you've tested sending a client certificate to your site and you're happy all is well you can start adding code to PHP (or any other language you like that can pull server environment information). At present I only have PHP code available and the example is in PHP
if($_SERVER['HTTP_HOST'] == "secure.cacert.org")
{
$query = "select * from `users` where `email`='$_SERVER[SSL_CLIENT_S_DN_Email]'";
$res = mysql_query($query);
if(mysql_num_rows($res) > 0)
{
$_SESSION['profile']['loggedin'] = 1;
header("location: https://secure.cacert.org/account.php");
exit;
}
}