Skip to content

Instantly share code, notes, and snippets.

@openfirmware
Forked from mtigas/gist:952344
Last active August 29, 2015 14:01

Revisions

  1. openfirmware revised this gist May 27, 2014. 1 changed file with 36 additions and 13 deletions.
    49 changes: 36 additions & 13 deletions gistfile1.md
    Original file line number Diff line number Diff line change
    @@ -1,15 +1,24 @@
    # Client-side SSL

    For excessively paranoid client authentication.

    ## Using self-signed certificate.
    ## Using a Central Certificate Authority

    See other tutorials.

    ## Self-Signed Certificate

    With a self-signed certicate, the clients will also want to install the custom certificate authority in their browsers/key managers.

    ### Create a Certificate Authority root (which represents this server)

    Organization & Common Name: Some human identifier for this server CA.

    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt

    ### Create the Client Key and Certificate Signing Request (CSR)

    ### Create the Client Key and CSR
    Organization & Common Name = Person name

    openssl genrsa -des3 -out client.key 4096
    @@ -18,33 +27,47 @@ Organization & Common Name = Person name
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    #### Convert Client Key to PKCS
    So that it may be installed in most browsers.

    So that it may be installed in most browsers/key managers. Export password is recommended as some key managers won't accept keys with no password.

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    #### Convert Client Key to (combined) PEM

    Combines `client.crt` and `client.key` into a single PEM file for programs using openssl.

    openssl pkcs12 -in client.p12 -out client.pem -clcerts

    ## Install Certificate Authority on client devices (OS or browser)

    Copy `ca.crt` for the user, have them install and trust it.

    ### Install Client Key on client device (OS or browser)

    Use `client.p12`. Actual instructions vary.

    ### Install CA cert on nginx
    So that the Web server knows to ask for (and validate) a user's Client Key
    against the internal CA certificate.

    So that the Web server knows to ask for (and validate) a user's Client Key against the internal CA certificate.

    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client optional; # or `on` if you require client key

    Configure nginx to pass the authentication data to the backend application:
    ### Filter by Client Certificate Serial (optional)

    Find the certificate serial number:

    $ openssl x509 -in client.crt -serial -noout
    serial=CLIENT-CERT-SN

    Add to nginx in the `server` block:

    if ($ssl_client_serial != "CLIENT-CERT-SN") {
    return 403;
    }

    * [Client Side Certificate Auth in Nginx](http://blog.nategood.com/client-side-certificate-authentication-in-ngi), section “Passing to PHP.”
    * [SSL module documentation](http://wiki.nginx.org/NginxHttpSslModule)
    See the nginx manual for other SSL parameters available for filtering.

    ## Other Sources

    ## Using CACert Keys
    * Get [client key from CACert](https://www.cacert.org/account.php?id=36)
    * Install client key in client device.
    * Install [CACert root certs](https://www.cacert.org/index.php?id=3) in server and client device.
    * Configure nginx, as above.
    * [HOWTO: Client side certificate auth with Nginx](http://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/)
  2. @mtigas mtigas created this gist May 2, 2011.
    50 changes: 50 additions & 0 deletions gistfile1.md
    Original file line number Diff line number Diff line change
    @@ -0,0 +1,50 @@
    # Client-side SSL
    For excessively paranoid client authentication.

    ## Using self-signed certificate.
    ### Create a Certificate Authority root (which represents this server)
    Organization & Common Name: Some human identifier for this server CA.

    openssl genrsa -des3 -out ca.key 4096
    openssl req -new -x509 -days 365 -key ca.key -out ca.crt


    ### Create the Client Key and CSR
    Organization & Common Name = Person name

    openssl genrsa -des3 -out client.key 4096
    openssl req -new -key client.key -out client.csr
    # self-signed
    openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

    #### Convert Client Key to PKCS
    So that it may be installed in most browsers.

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

    #### Convert Client Key to (combined) PEM
    Combines `client.crt` and `client.key` into a single PEM file for programs using openssl.

    openssl pkcs12 -in client.p12 -out client.pem -clcerts

    ### Install Client Key on client device (OS or browser)
    Use `client.p12`. Actual instructions vary.

    ### Install CA cert on nginx
    So that the Web server knows to ask for (and validate) a user's Client Key
    against the internal CA certificate.

    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client optional; # or `on` if you require client key

    Configure nginx to pass the authentication data to the backend application:

    * [Client Side Certificate Auth in Nginx](http://blog.nategood.com/client-side-certificate-authentication-in-ngi), section “Passing to PHP.”
    * [SSL module documentation](http://wiki.nginx.org/NginxHttpSslModule)


    ## Using CACert Keys
    * Get [client key from CACert](https://www.cacert.org/account.php?id=36)
    * Install client key in client device.
    * Install [CACert root certs](https://www.cacert.org/index.php?id=3) in server and client device.
    * Configure nginx, as above.