For excessively paranoid client authentication.
See other tutorials.
With a self-signed certicate, the clients will also want to install the custom certificate authority in their browsers/key managers.
Organization & Common Name: Some human identifier for this server CA.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Organization & Common Name = Person name
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# self-signed
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
So that it may be installed in most browsers/key managers. Export password is recommended as some key managers won't accept keys with no password.
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Combines client.crt and client.key into a single PEM file for programs using openssl.
openssl pkcs12 -in client.p12 -out client.pem -clcerts
Copy ca.crt for the user, have them install and trust it.
Use client.p12. Actual instructions vary.
So that the Web server knows to ask for (and validate) a user's Client Key against the internal CA certificate.
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional; # or `on` if you require client key
Find the certificate serial number:
$ openssl x509 -in client.crt -serial -noout
serial=CLIENT-CERT-SN
Add to nginx in the server block:
if ($ssl_client_serial != "CLIENT-CERT-SN") {
return 403;
}
See the nginx manual for other SSL parameters available for filtering.