Взято и обработано: http://www.gentoo.ru/content/kak-v-apache-otkazat-polzovatelyu-ne-imeyushchemu-klyucha-ssl

httpd.conf

# require a client certificate which has to be directly
# signed by our CA certificate in ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
SSLCACertificateFile conf/ssl.crt/ca.crt

SSLVerifyClient require
SSLVerifyDepth 10

Собственно нашел в гугле за 2 минуты - http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html