I have been assigned this task of making a web site use CAC card authentication. I've setup an AWS Linux server with Apache httpd web server. Does anyone of the step by steps to setup Apache to enable a users web browser read their CAC card and prompt them for the pin number.
CAC authentication is no different from any other PKI authentication (can be referred to as mutual authentication or client authentication). What this means is that in addition to the browser authenticating the server certificate (check that the server cert is issued by a trusted authority), the server will also require that the client submit a certificate which the server will verify.
Here is what you will need: a server certificate, the private key which goes with that certificate, and a trust store with root and intermediate ca certificates. Have a look at this documentation for reference: https://httpd.apache.org/docs/2.4/ssl/ssl_howto.html.
In the simplest setup you want a VirtualHost which looks something like this (I haven't tested this configuration. Just copied it from the site mentioned above. It might need to be tweaked):
<VirtualHost *:443>
ServerName www.example.com
SSLEngine on
# server certificate
SSLCertificateFile "/path/to/www.example.com.cert"
# private key
SSLCertificateKeyFile "/path/to/www.example.com.key"
SSLVerifyClient require
SSLVerifyDepth 1
# trust store
SSLCACertificateFile "conf/ssl.crt/ca.crt"
</VirtualHost>
As I mentioned this is the most basic setup. This might be sufficient for what you need, but to make it more robust, you would need to verify that the certificates are not revoked. The two ways of doing this are to either download Certificate Revocation Lists (this is not practical for the number of CAs which issue CAC certificates), or use OSCP responders. I personally have not done revocation check with HTTPD (only in the Java world and programmatically), but there is a section in the above documentation which covers OCSP. Again, you might not need it depending on your project.