i want to configure Apache so that it receives a client certificate, an passes it to another server. I'm using:

• apache 2.0.65 on windows
• the backend server is an apache-based solution (IBM HTTP Server)

I tried this config:

<VirtualHost *:443>
ServerName apacheserver.domain.com
SSLEngine on
SSLProxyEngine on
SSLCertificateFile "e:/Apache/Apache2/conf/server.cer"
SSLCertificateKeyFile "e:/Apache/Apache2/conf/server.key"
SSLCACertificateFile  "e:/Apache/Apache2/conf/certca.cer"
SSLVerifyClient require
SSLVerifyDepth 2
ProxyPreserveHost on
ProxyRequests off
<Proxy *>
  AddDefaultCharset Off
  Order deny,allow
  Allow from all
</Proxy>
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_S_DN    ""
RequestHeader set SSL_CLIENT_I_DN    ""
RequestHeader set SSL_SERVER_S_DN_OU ""
RequestHeader set SSL_CLIENT_VERIFY  ""
<Directory />
  # add all the SSL_* you need in the internal web application
  RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}e"
  RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}e"
  RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}e"
  RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}e"
  ProxyPass  https://192.168.10.191/
  ProxyPassReverse  https://192.168.10.191/
</Directory>
</VirtualHost>

when i try this config, i have this error on the error.log file of apache:

[Tue Dec 31 12:14:52 2013] [warn] Proxy client certificate callback: (apacheserver.domain.com:443) downstream server wanted client certificate but none are configured

any ideas?

The client certificate is used in the SSL connection to verify the identity of the user. The verification is done with public key cryptography, e.g. the client signs something with its private key and the signature can be verified with the public key. And because the private key is only known to the client but the public key to everybody (it is included in the certificate), only the client can sign but everybody can verify the signature and thus it is proven that the signed text comes from the client.

If you use the apache as a proxy which requests a client certificate it will receive the certificate which contains the client public key and it will be able to verify the signature of the client. But it has no access to the clients private key and thus it will not be able to create another https connection with the clients original certificate. All it can do is to verify the clients certificate and then forward the important information as HTTP headers to the upstream server.

It looks like you attempt to put the information from the clients certificate inside HTTP header, but that your upstream server requires more, e.g. it requires the clients certificate which you cannot offer (error message: "..downstream server wanted client certificate.."). Therefore you need to change the upstream server, so that it accepts connection without client certificate and reads the authorization information from the HTTP-Headers you've inserted in the proxy.

Use http: instead of https: in the ProxyPass directive. Apache will pass the client certificate in the headers.