====Certificates====

The **cert** [[pathsecurity|access control]] rule allows access to a resource if the incoming request was signed with a valid client security certificate.

This allows remote machines access to resources that are otherwise private, without going through ARDI authentication.

This is considered one of the most secure methods of setting up a trust relationship between two endpoints. When combined with a [[security_whitelist|whitelist]], you can usually be very confident that the request is coming from a specific machine and user.

===Properties===

**name**: An optional regular expression to match with the name. If this isn't provided, //any// valid certificate is accepted.

===Basic Example===

<code javascript>
{
   "type": "cert",
   "name": "com.mycompany.*"
}
</code>

//This restricts access to only requests that are signed with a certficate belonging to a system with a common name starting with 'com.mycompany.'.//

===Server Setup===

By default, the Apache 2 webserver does not have client certificates enabled. To enable them, you'll need to make changes to configuration files.

Open your //vhosts.conf// file, found at **/etc/apache2/sites-enabled/ardi** in Linux, or **\apache2\conf\extra\vhosts.conf** in your ARDI install folder on Windows.

Under **<VirtualHost *:443>**, add the following lines...

<code>
  SSLCACertificateFile "path.to.certificate.chain"
  SSLVerifyClient optional
  SSLVerifyDepth 10
  SSLOptions +ExportCertData +StdEnvVars
</code>

Replacing //path.to.certificate.chain// with the path to a CRT or PEM file containing the certificate chain that can be used to validate the client certificate.

Restart Apache2 using **Services** in Windows, or **service restart apache2** on Linux.