Public key authentication or similar over HTTP/HTTPS?

Is it possible to configure Apache, or some other web server, to use some kind of public-key authentication?

What I would like, ideally, is to be able to give users access to a site without the need for a username/password, provided that they have installed a keyfile (or similar) in their browser, and that that key is 'authorized' on the server side.


What you are looking for is generally referred to as mutual authentication. Normally a server certificate exists for "server authentication", which means it validates the identity of the server to the client.

Note that when pursuing this scheme, you have an additional challenge of certificate renewal for the clients.

Here is an example of how it is done for one product:

Mutual Authentication Primer

Configuring Apache for SSL


SSL is public key authentication. Most commonly it's used to authenticate the identify of the remote server...the server presents a certificate, signed by the private key of a certificate authority, and your browser verifies it against the authorities public key.

It is also possible to use SSL to authenticate the identify of the client. In this case, you configure your browser to present a client certificate when it connects to a remote server, and the remote server will authenticate the certificate against some authority.

This is all relatively easy and well supported by most web servers. This document discusses setting things up with Apache. The SSLRequire statement does most of the heavy lifting for this sort of configuration.