Apache - Client Certificates

Is the purpose of the client certification process just to prove that the CA you have in SSLCACertificateFile (in the conf file) has vouched for the client? If the CA is a well known CA then anyone who has their public cert signed by that CA can pass through as a valid client? A bit confused about this whole client authentication thing.

Yes, but:

1. In a private setup for example you could as well use a private internal CA, so you would control who gets certificates or not.
2. Look at SSLOptions directive, the FakeBasicAuth case can help in some cases
3. And more generally, you have the SSLRequire directive, where you can restrict access based on any component of the presented certificate, like its CN.

Example given in documentation:

SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/                   \
            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd."          \
            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"}    \
            and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5          \
            and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20       ) \
           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/

Note that SSLRequire is now deprecated in favor of Require which is almost a strict superset of it. You have on https://httpd.apache.org/docs/2.4/expr.html the details on how you can test, and the beginning of https://httpd.apache.org/docs/2.4/mod/mod_ssl.html shows all possible "SSL" variables you can test, such as:

SSL_CLIENT_M_SERIAL     string  The serial of the client certificate
SSL_CLIENT_S_DN     string  Subject DN in client's certificate
SSL_CLIENT_S_DN_x509    string  Component of client's Subject DN