Last active
August 29, 2015 14:19
-
-
Save tegila/869e194f2c2f91db5200 to your computer and use it in GitHub Desktop.
Nginx SSL Auth Setup
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Create the CA Key and Certificate for signing Client Certs | |
openssl genrsa -des3 -out ca.key 4096 | |
openssl req -new -x509 -days 365 -key ca.key -out ca.crt | |
# Create the Server Key, CSR, and Certificate | |
openssl genrsa -des3 -out server.key 1024 | |
openssl req -new -key server.key -out server.csr | |
# We're self signing our own server cert here. This is a no-no in production. | |
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt | |
# Create the Client Key and CSR | |
openssl genrsa -des3 -out client.key 1024 | |
openssl req -new -key client.key -out client.csr | |
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do. | |
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
server { | |
listen 443; | |
ssl on; | |
server_name example.com; | |
ssl_certificate /etc/nginx/certs/server.crt; | |
ssl_certificate_key /etc/nginx/certs/server.key; | |
ssl_client_certificate /etc/nginx/certs/ca.crt; | |
ssl_verify_client optional; | |
location / { | |
root /var/www/example.com/html; | |
fastcgi_pass 127.0.0.1:9000; | |
fastcgi_param SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php; | |
fastcgi_param VERIFIED $ssl_client_verify; | |
fastcgi_param DN $ssl_client_s_dn; | |
include fastcgi_params; | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
curl -v -s -k --key client.key --cert client.crt https://example.com