I'd like to make a simple python CGI script (hosted by apache in my case) that reads the client certificate and logs who accesses the script. My question seems simple but I can't find any info on the WWW: with a python CGI script, how do you grab the client cert? I already have a working script and SSL so just trying to break the code on the client certificate piece. I'm open to trying another web server but I want to keep it as vanilla as possible, so no web frameworks (django, etc)
If you are using Apache HTTPD with mod_ssl then this is actually quite easy. You can instruct mod_ssl to export SSL related information into environment variables with this configuration directive:
SSLOptions +StdEnvVars
You can then read all required information from environment variables without any external dependencies - for example basic CGI script written in Perl displaying commonName from client's certificate would look like this:
#!/usr/bin/perl
use strict;
print "Content-type: text/html\n";
print "\n";
print $ENV{"SSL_CLIENT_S_DN_CN"}
I've written full length article about SSL authentication in Apache HTTPD few years ago but it is only available in Slovak language. However it can be translated to English with Google Translate.