Mini tutorial for configuring client-side SSL certificates.

gistfile1.md

Client-side SSL

For excessively paranoid client authentication.

Using self-signed certificate.

Create a Certificate Authority root (which represents this server)

Organization & Common Name: Some human identifier for this server CA.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create the Client Key and CSR

Organization & Common Name = Person name

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# self-signed
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Convert Client Key to PKCS

So that it may be installed in most browsers.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Convert Client Key to (combined) PEM

Combines client.crt and client.key into a single PEM file for programs using openssl.

openssl pkcs12 -in client.p12 -out client.pem -clcerts

Install Client Key on client device (OS or browser)

Use client.p12. Actual instructions vary.

Install CA cert on nginx

So that the Web server knows to ask for (and validate) a user's Client Key against the internal CA certificate.

ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional; # or `on` if you require client key

Configure nginx to pass the authentication data to the backend application:

• Client Side Certificate Auth in Nginx, section “Passing to PHP.”
• SSL module documentation

Using CACert Keys

• Get client key from CACert
• Install client key in client device.
• Install CACert root certs in server and client device.
• Configure nginx, as above.

Top tip for those signing client certs with an intermediary CA, you must cat rootca.pem >> intermediaryca.pem else nginx will return a very unhelpful 400 error.

Thank you, this helped me after a lot of searching.

Hello, I use Nginx as reverse http proxy to more than one web servers. I need to configure the client certificate-based authentication only for some locations, not all the locations configured in nginx.

How can I do?
Can I put the lines:

ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional;

inside the "location" definition?

Thnks a lot, regards
Luca

@lucdig, those lines belong to the server block along wih another SSL directives: https://gist.github.com/konklone/6532544

@lucdig SSL handshaking occurs prior to the server knowing any details about the request, so it will be a global rather than specific to a particular location.

Issues:

1. One client certificate could be used for multiple users ? ( Distribute the client certificate to multiple user)
2. If i want to let every user to use unique client certificate, I have to generate a client certificate for every user ?

@lucdig @jhmartin RFC 5746 specifies extensions to TLS that allow secure renegotiation, so it's not quite correct to say that requiring client certs must happen at the global level. Apache, for example can require client certs on a per-location basis. That said, nginx does not, and will not for the foreseeable future. The feature has been previously requested and categorized as 'wontfix'; see https://trac.nginx.org/nginx/ticket/317 and https://trac.nginx.org/nginx/ticket/498

@risacher @lucdig @jhmartin it is however pretty easy to simply set ssl verification to optional and then just error unauthenticated users under certain locations while allowing them anywhere else.

Thanks for the instructions.
I had to use client.pem for it to work.

ssl_client_certificate /path/to/client.pem;
ssl_verify_client optional; # or `on` if you require client key

It works as expected. I used client.pfx instead of client.p12. Also, I used this with a Dropwizard framework, I generated a .jks file from .pfx file using the next command:

keytool -importkeystore -srckeystore client.pfx \
        -srcstoretype PKCS12 \
        -destkeystore client.jks \
        -deststoretype JKS

Thank you, this helped me after a lot of searching.

Hey guys,
I would like to repeat the question asked by @developerworks
Is it possible to have different client certificates for one and the same server certificate? They could get for example a different CN to identify each user respectively.
Is a setup like this possible?
Kind regards,
RSchlenker

Thank you, this helped me after a lot of searching.

Thanks, this was very useful! 👍

Works like a charm!

what's the openssl API to ask for client side certificates from the server application. As I understand, client side authentication will not take place until server explicitly asks for it using the CertificateRequest message

You are awesome 👍

@jacobalberty do you have an example of how to check verification in locations with nginx?

Here is a helpful command to figure out if the client certificate will verify correctly: openssl verify -verbose -CAfile ca.crt client.crt

Also, if you get error 18 at 0 depth lookup: self signed certificate it's due to the fact that you use the same Organization Name for both your ca and your client certificate.

Hi there, what if I want to use Burpsuite to proxy the app's traffic which is using two way of https auth?

I can get client.p12 and trust.bks from the apk files, but can't import the client.p12 into Burpsuite.

• I got "unable to retrive certificate" error when adding Client SSL Certificate to burp's user option.
• I got "java.util.NoSuchElementException" error when import CA certificate to burp's proxy listener
• For the above actions, I'm just using the client.p12 exported from jeb 2.2.5

Any guidance?

hi @storrgie

@jacobalberty do you have an example of how to check verification in locations with nginx?

See https://serverfault.com/a/639249/188143 and https://stackoverflow.com/a/36067338/1009249

Client Side Certificate Auth in Nginx, section “Passing to PHP.”

This link gives 404

Thank you for this tutorial. In Create a Certificate Authority root you write "because genrsa doesn't work without a password of at least 4 characters". That's not exactly true (although I thought this also for a while).

What needs the password is the -aes256 parameter, that leads to an encrypted key. If you leave this parameter out, you get an unencrypted key the same way you get after using the 2nd command (i.e. openssl rsa -passin pass:xxxx -in ca.pass.key -out ca.key).

concise and helpful. Right to the point. Many thanks for this

Thank you so much!

I'am trying to connect to a MariaDB instance hosted on AWS RDS, my application requires ca.pem, client-cert.pem and client-key.pem, and Amazon only gives me a rds-combined-ca-bundle.pem

I don't know much about TLS. I need to generate those files?

When I follow the Create the Client Key and CSR it outputs:
CA certificate and CA private key do not match

${CLIENT_ID}.key is equivalent to client-key.pem?
${CLIENT_ID}.csr is equivalent to client-cert.pem?

Any one can give me a light?

It needs a lot of time spent + expertise to be able to tackle something as cryptic (for me) as creating own chain of certificates and present it in such a plain way :) thanks for the hard work - worked like a charm for internal UCP

Helpfull, thanks.

I suggest using -CAserial file instead of -set_serial which will eventually get out of sync.

This has got to be one of the best examples I have read, but I am still getting an error:
2021/04/28 20:35:52 [info] 792584#792584: *1 SSL_do_handshake() failed (SSL: error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca:SSL alert number 48) while SSL handshaking, client: 11.65.81.90, server: 111.166.22.84:8883

I am using with mqtt, and I used the pem file 01-alice.full.pem to sign rather than supplying CAFile, key and crt as I used to