This solution uses Let’s Encrypt as the certificate provider for the website and custom certificates for mTLS authentication. Connect to the ISP Config server and prepare certificates
Generate CA certificate
# generate private key
openssl genrsa -out ca.key 4096
#generate CA cert
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt \
-subj "/C=EU/ST=Czechia/L=JM/O=FireIT.xx/OU=IT/CN=MyMTLS-RootCA"Generate client certificate
# generate client key
openssl genrsa -out client.key 2048
# generate client certificate
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out client.crt -days 3650 -sha256Export client certificate
openssl pkcs12 -export -inkey client.key -in client.crt -certfile ca.crt -out client.p12
# export password
Enter Export Password:
Verifying - Enter Export Password:After export, you need to import the certificate into your OS system.
Copy CA certificate to the website folder
Depends where you generate certificates, for me as an example (replace [value] with your value):
cp ~/ca.crt /var/www/[webpage.xx]/ssl/ISP Config setup
Connect to the ISP Config admin interface, go to the Sites -> Select Website, and add some settings:
1) *Domin tab* -Enable Let’s Encrypt certificate for website and let it generate
2) Options tab – Apache directives (replace [value] with your value)
SSLCACertificateFile /var/www/[webpage.xxx]/ssl/ca.crt
SSLVerifyClient require
SSLVerifyDepth 2Now you should be set up. If you try to access the webpage, the website should ask you to select a certificate to access the webpage.