TL;DR
Your browser keeps getting kicked off a website secured with client certificates on an Apache server running on Windows? This is usually caused by the SSL session timeout being too short. We’ll adjust the Apache configuration to keep sessions open longer.
Solution Guide
- Understand the Problem: Client certificate authentication requires a secure connection (SSL/TLS). If the server doesn’t receive regular activity, it might close the session for security reasons. This causes your browser to disconnect and re-authenticate.
- This is more common with Apache on Windows than other platforms due to default settings.
- Locate Your Apache Configuration File: The main configuration file is usually named
httpd.conforapache2.conf. It’s typically found in theconfdirectory within your Apache installation folder (e.g.,C:Apache24confhttpd.conf). - Edit the Configuration File: Open the configuration file with a text editor (like Notepad, but run as Administrator!). You’ll need to modify settings related to SSL session management.
- Search for the
<VirtualHost>block that corresponds to your website.
- Search for the
- Adjust SSL Session Timeout: Within the
<VirtualHost>block, add or modify these directives:SSLSessionCache shm UNC:/path/to/your/session_cache ttl=3600 timeout=600 SSLSessionTickets On SSLProxyEngine on SSLProxyCheckPeerCN Off SSLProxyTimeout 600SSLSessionCache: This directive specifies where Apache stores SSL session data.ttl=3600sets the time-to-live (in seconds) to one hour. Change/path/to/your/session_cacheto a suitable directory on your server.SSLSessionTickets: Enabling this improves performance and can help with session persistence.SSLProxyEngine on&SSLProxyCheckPeerCN Off: These are often needed if you’re using a reverse proxy. If not, they can be omitted.SSLProxyTimeout 600: Sets the timeout for SSL proxy connections to 10 minutes (600 seconds). Adjust as needed.
- Increase KeepAlive Settings: Also within the
<VirtualHost>block, adjust these directives:KeepAlive On MaxKeepAliveRequests 100 KeepAliveTimeout 60KeepAlive On: Enables the Keep-Alive feature.MaxKeepAliveRequests 100: Allows up to 100 requests on a single connection before closing it.KeepAliveTimeout 60: Sets the timeout (in seconds) for idle connections to 60 seconds.
- Save and Restart Apache: Save the changes to your configuration file.
- Restart Apache to apply the new settings. You can usually do this from the Services app in Windows (search for “Apache2.4” or similar). Alternatively, use the command line:
httpd -k restart
- Restart Apache to apply the new settings. You can usually do this from the Services app in Windows (search for “Apache2.4” or similar). Alternatively, use the command line:
- Test: Clear your browser cache and cookies, then try accessing the client certificate authenticated website again.
- Monitor if you still get disconnected. If so, increase the
KeepAliveTimeoutorSSLSessionCache ttlfurther (in small increments).
- Monitor if you still get disconnected. If so, increase the