Skip to content
Create a gist now

Instantly share code, notes, and snippets.

Embed URL


Subversion checkout URL

You can clone with
Download ZIP
Mini tutorial for configuring client-side SSL certificates.

Client-side SSL

For excessively paranoid client authentication.

Using self-signed certificate.

Create a Certificate Authority root (which represents this server)

Organization & Common Name: Some human identifier for this server CA.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create the Client Key and CSR

Organization & Common Name = Person name

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# self-signed
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Convert Client Key to PKCS

So that it may be installed in most browsers.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Convert Client Key to (combined) PEM

Combines client.crt and client.key into a single PEM file for programs using openssl.

openssl pkcs12 -in client.p12 -out client.pem -clcerts

Install Client Key on client device (OS or browser)

Use client.p12. Actual instructions vary.

Install CA cert on nginx

So that the Web server knows to ask for (and validate) a user's Client Key against the internal CA certificate.

ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional; # or `on` if you require client key

Configure nginx to pass the authentication data to the backend application:

Using CACert Keys


Top tip for those signing client certs with an intermediary CA, you must cat rootca.pem >> intermediaryca.pem else nginx will return a very unhelpful 400 error.


Thank you, this helped me after a lot of searching.


Hello, I use Nginx as reverse http proxy to more than one web servers. I need to configure the client certificate-based authentication only for some locations, not all the locations configured in nginx.

How can I do?
Can I put the lines:

ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional;

inside the "location" definition?

Thnks a lot, regards


@lucdig, those lines belong to the server block along wih another SSL directives:


@lucdig SSL handshaking occurs prior to the server knowing any details about the request, so it will be a global rather than specific to a particular location.



  1. One client certificate could be used for multiple users ? ( Distribute the client certificate to multiple user)

  2. If i want to let every user to use unique client certificate, I have to generate a client certificate for every user ?


@lucdig @jhmartin RFC 5746 specifies extensions to TLS that allow secure renegotiation, so it's not quite correct to say that requiring client certs must happen at the global level. Apache, for example can require client certs on a per-location basis. That said, nginx does not, and will not for the foreseeable future. The feature has been previously requested and categorized as 'wontfix'; see and


@risacher @lucdig @jhmartin it is however pretty easy to simply set ssl verification to optional and then just error unauthenticated users under certain locations while allowing them anywhere else.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.