Web Servers


Nginx Client Certificate Authentication

Server Side: Generate CA key and certificate (5y expiry):

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 1825 -key ca.key -out ca.crt

Client Side: Generate key and CSR:

openssl genrsa -des3 -out user.key 4096
openssl req -new -key user.key -out user.csr

Server Side: Sign user CSR, creating a signed client certificate (1y expiry):

openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt

(notice -set_serial: increment at renewal)

Optionally the user can create a PFX file (bundle of user key, cert and ca cert):

openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt
Nginx Configuration

Enable client certificate verification:

server {
  ssl_verify_client on;
  ssl_client_certificate /etc/nginx/client_certs/ca.crt;

...self-proclaimed Internet Enthusiast!