Web Servers ¶
Nginx ¶
Nginx Client Certificate Authentication
Server Side: Generate CA key and certificate (5y expiry):
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt
Client Side: Generate key and CSR:
openssl genrsa -des3 -out user.key 4096
openssl req -new -key user.key -out user.csr
Server Side: Sign user CSR, creating a signed client certificate (1y expiry):
openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
(notice -set_serial
: increment at renewal)
Optionally the user can create a PFX file (bundle of user key, cert and ca cert):
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt
Nginx Configuration
Enable client certificate verification:
server {
..
ssl_verify_client on;
ssl_client_certificate /etc/nginx/client_certs/ca.crt;
..
}