shamil/gist:2165160

## gistfile1.md

      
    Raw
  

              gistfile1.md
            
          
    Client-side SSL

Create a Certificate Authority root (which represents this server)

Organization & Common Name: Some human identifier for this server CA.
openssl genrsa -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Create the Client Key and CSR

Organization & Common Name = Person name
openssl genrsa -out client.key 2048
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt # self-signed

Convert PEM to PKCS#12

So that it may be installed in most browsers.openssl genrsa -des3 -out client.key 4096
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Convert from PKCS#12 to PEM (key and cert combined)

Combines client.crt and client.key into a single PEM file for programs using openssl...
openssl pkcs12 -in client.p12 -out client.pem -clcerts

Convert from PKCS#12 to PEM (key and cert separated)

Separated client.crt and client.key for use with curl or similar...
openssl pkcs12 -in client.p12 -nocerts -nodes -out client.key
openssl pkcs12 -in client.p12 -clcerts -nodes -out client.crt

Install Client Key on client device (OS or browser)

Use client.p12. Actual instructions vary.
Install CA cert on nginx

So that the Web server knows to ask for (and validate) a user's Client Key
against the internal CA certificate.
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client optional; # or `on` if you require client key

Configure nginx to pass the authentication data to the backend application:

Client Side Certificate Auth in Nginx, section “Passing to PHP.”
SSL module documentation

Using CACert Keys


Get client key from CACert
Install client key in client device.
Install CACert root certs in server and client device.
Configure nginx, as above.