The question is very clear but I did not find any useful tutorial online. So I wish I could have some luck here.
Basically, I want to build a client certificate authenti
It is important to understand SSLVerifyClient and the other directives. From Practical Issues with TLS Client Certificate Authentication (page 3):
The default value none of SSLVerifyClient does not require CCA; therefore the server will not include a CertificateRequest message in the TLS handshake.
The value require will require CCA, and thus the CertificateRequest message will be included in the handshake. If the client does not provide any certificate in the client’s Certificate message or mod_ssl fails to verify the certificate provided, the TLS handshake will be aborted and a fatal TLS alert message will be sent to the client.
The value optional is the same as require, but an empty client’s Certificate message will be tolerated.
The last possible value optional_no_ca is the same as optional, but in addition it allows a client’s certificate to be submitted that does not chain up to the CA trusted by the server (because of a bug in OpenSSL [6] not yet valid or expired non-self-signed client certificates will also be accepted).
The value optional_no_ca can be used to perform certificate verification at an application level or to implement PKI-less public-key authentication that uses X.509 certificates as a public-key transport.
You'll find instructions on how to create a CA cert and certs signed by this CA cert here: http://pages.cs.wisc.edu/~zmiller/ca-howto/
Things go like this:
You can then check that the client presents a certificate which is "signed" by the CA.