Go to the following directory: cd /etc/apache2/sites-enabled/.
For the required host in nano openxpki.conf, add SSLVerifyClient require.
For example, if you are using port 443, modify the VirtualHost section to:
<VirtualHost *:443> SSLVerifyClient require </VirtualHost>
Remove the SSLVerifyClient optional_no_ca command.
Save the file, and then type quit to exit from MySQL.
Go to the following directory: cd /etc/openxpki/config.d/realm/democa/est.
Open default.yaml and democa.yaml.
Note: If the label is different, then change the YAML file.
Run the following command:
In the authorized_signer section, add the following:
authorized_signer: rule2: subject: CN=,.
For example, if your client certificate subject name is test123, then add the following in the authorized_signer section:
authorized_signer: rule1: # Full DN subject: CN=.+:pkiclient,. rule2: subject: CN=test123,.*
Save the file, and then type quit to exit MySQL.
Restart the OpenXPKI service using openxpkictl restart.
Restart the Apache service using service apache2 restart.