mod_ssl does not accept expired client certificates even if the SSLVerifyClient directive is set to "optional_no_ca". Self-signed certificates are accepted, but expired certificates are not. IMHO this doesn't match the description in the official manual and is thus a bug: "optional_no_ca: the client may present a valid Certificate but it need not to be (successfully) verifiable" https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient