To use client certificate based authentication for your repository, first set up a generic depot server Apache configuration as described in Depot Server Apache Configuration. Then add the following SSL configuration at the end of your httpd.conf file:
# Let Apache listen on the standard HTTPS port
Listen 443
# VirtualHost configuration for request on port 443
<VirtualHost 0.0.0.0:443>
# DNS domain name of the server, needs to match your server certificate
ServerName pkg-sec.example.com
# enable SSL
SSLEngine On
# Location of the server certificate and key.
# You either have to get one from a certificate signing authority like
# VeriSign or create your own CA for testing purposes (see "Creating a
# Self-Signed CA for Testing Purposes")
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/server.key
# Intermediate CA certificate file. Required if your server certificate
# is not signed by a top-level CA directly but an intermediate authority
# Comment out this section if you are using a test certificate or your
# server certificate doesn't require it.
# For more info:
# http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile
SSLCertificateChainFile /path/to/ca_intermediate.pem
# CA certs for client verification.
# This is where the CA certificate created in step 3 needs to go.
# If you have multiple CAs for multiple repos, just concatenate the
# CA certificate files
SSLCACertificateFile /path/to/ca_cert.pem
# If the client presents a certificate, verify it here. If it doesn't,
# ignore.
# This is required to be able to use client-certificate based and
# anonymous SSL traffic on the same VirtualHost.
# This statement could also go into the <Location> tags but putting it
# here avoids re-negotiation which can cause security issues with older
# servers/clients:
# http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2009-3555
SSLVerifyClient optional
<Location /repo>
SSLVerifyDepth 1
# This is the SSL requirement for this location.
# Requirements can be made based on various information encoded
# in the certificate. Two variants are the most useful for use
# with IPS repositories:
# a) SSLRequire ( %{SSL_CLIENT_I_DN_CN} =~ m/reponame/ )
# only allow access if the CN in the client certificate matches
# "reponame", useful for different certificates for different
# repos
#
# b) SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
# grant access if clients certificate is signed by one of the
# CAs specified in SSLCACertificateFile
SSLRequire ( %{SSL_CLIENT_VERIFY} eq "SUCCESS" )
# proxy request to depot running at internal.example.com:12345
ProxyPass http://internal.example.com:12345 nocanon max=500
</Location>
</VirtualHost>