|
|
@@ -1,15 +1,24 @@ |
|
|
# Client-side SSL |
|
|
|
|
|
For excessively paranoid client authentication. |
|
|
|
|
|
## Using self-signed certificate. |
|
|
## Using a Central Certificate Authority |
|
|
|
|
|
See other tutorials. |
|
|
|
|
|
## Self-Signed Certificate |
|
|
|
|
|
With a self-signed certicate, the clients will also want to install the custom certificate authority in their browsers/key managers. |
|
|
|
|
|
### Create a Certificate Authority root (which represents this server) |
|
|
|
|
|
Organization & Common Name: Some human identifier for this server CA. |
|
|
|
|
|
openssl genrsa -des3 -out ca.key 4096 |
|
|
openssl req -new -x509 -days 365 -key ca.key -out ca.crt |
|
|
|
|
|
### Create the Client Key and Certificate Signing Request (CSR) |
|
|
|
|
|
### Create the Client Key and CSR |
|
|
Organization & Common Name = Person name |
|
|
|
|
|
openssl genrsa -des3 -out client.key 4096 |
|
|
@@ -18,33 +27,47 @@ Organization & Common Name = Person name |
|
|
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt |
|
|
|
|
|
#### Convert Client Key to PKCS |
|
|
So that it may be installed in most browsers. |
|
|
|
|
|
So that it may be installed in most browsers/key managers. Export password is recommended as some key managers won't accept keys with no password. |
|
|
|
|
|
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 |
|
|
|
|
|
#### Convert Client Key to (combined) PEM |
|
|
|
|
|
Combines `client.crt` and `client.key` into a single PEM file for programs using openssl. |
|
|
|
|
|
openssl pkcs12 -in client.p12 -out client.pem -clcerts |
|
|
|
|
|
## Install Certificate Authority on client devices (OS or browser) |
|
|
|
|
|
Copy `ca.crt` for the user, have them install and trust it. |
|
|
|
|
|
### Install Client Key on client device (OS or browser) |
|
|
|
|
|
Use `client.p12`. Actual instructions vary. |
|
|
|
|
|
### Install CA cert on nginx |
|
|
So that the Web server knows to ask for (and validate) a user's Client Key |
|
|
against the internal CA certificate. |
|
|
|
|
|
So that the Web server knows to ask for (and validate) a user's Client Key against the internal CA certificate. |
|
|
|
|
|
ssl_client_certificate /path/to/ca.crt; |
|
|
ssl_verify_client optional; # or `on` if you require client key |
|
|
|
|
|
Configure nginx to pass the authentication data to the backend application: |
|
|
### Filter by Client Certificate Serial (optional) |
|
|
|
|
|
Find the certificate serial number: |
|
|
|
|
|
$ openssl x509 -in client.crt -serial -noout |
|
|
serial=CLIENT-CERT-SN |
|
|
|
|
|
Add to nginx in the `server` block: |
|
|
|
|
|
if ($ssl_client_serial != "CLIENT-CERT-SN") { |
|
|
return 403; |
|
|
} |
|
|
|
|
|
* [Client Side Certificate Auth in Nginx](http://blog.nategood.com/client-side-certificate-authentication-in-ngi), section “Passing to PHP.” |
|
|
* [SSL module documentation](http://wiki.nginx.org/NginxHttpSslModule) |
|
|
See the nginx manual for other SSL parameters available for filtering. |
|
|
|
|
|
## Other Sources |
|
|
|
|
|
## Using CACert Keys |
|
|
* Get [client key from CACert](https://www.cacert.org/account.php?id=36) |
|
|
* Install client key in client device. |
|
|
* Install [CACert root certs](https://www.cacert.org/index.php?id=3) in server and client device. |
|
|
* Configure nginx, as above. |
|
|
* [HOWTO: Client side certificate auth with Nginx](http://rynop.wordpress.com/2012/11/26/howto-client-side-certificate-auth-with-nginx/) |