The apache config as it ships in unfold.conf defines a port (currently 443) where SSL client-auth is enforced The idea being to have the browser prompting our user for a certificate - instead of leaving that optional, which we believe is something nobody will ever use if it's optional. A few notes and caveats must be outlined though below; see also unfold-init-ssl.sh about that * as of this writing quite a lot of what is below would be taken care of by the packaging stuff once/if it works; the notes below are intended to help in this respect. * all the local material for this deployment gets into /etc/unfold/ * I could not find a way to have client-auth without server auth; this is totally weird, and stupid, but that's how it is so there is a need to install a (probably self-signed) cert and related key in /etc/unfold/myslice.cert /etc/unfold/myslice.key see init-ssl.sh for how to create these * Now the trusted roots - that we do need in our case - are expected in /etc/unfold/trusted_roots this of course is a user choice, e.g.: /etc/unfold/trusted_roots/plc.gid /etc/unfold/trusted_roots/ple.gid