A client was concerned that Apache/OpenSSL combo was not respecting certificate key usage values out of the box. They demonstrated how they logged into a web-service using certificates that didn’t have the “TLS Web Client Authentication” extended key usage set. Because of that were asking if they had some config error and how would it be possible to require those extensions to be set.

They had messed about with different hints they got from the web, but none worked properly. After a bit of reading manuals/researching the web and tinkering around I managed to get it working the way they wanted it to. So I thought I’d share the brief config snippet to help out anyone else who was running into the same problem.

<Directory /var/www/html/test.site/tls_test>
  SSLVerifyClient require
  SSLVerifyDepth 2
  SSLOptions +StdEnvVars          
  Require expr "TLS Web Client Authentication, E-mail Protection" in PeerExtList('extendedKeyUsage')