SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions

Configure nginx for client certificate authentication

Browse source
This commit is contained in:
Fadi Abbud 2022-01-12 12:03:15 +01:00
parent 2a69c13398
commit 3281387087
2 changed files with 68 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

67
docs/client-certificate-setup.md Normal file
View file

@ -0,0 +1,67 @@
## Client-Certificate based authentication
If the certificate Authority and user certificates are already present the steps of creating the certificate authority and client certificates can be skipped.
The following is an example of creating them.
```bash
cd /etc/ssl
```
### Create the Certificate Autority (CA)
Firstly, generate the CA:
```openssl genrsa -des3 -out ca.key 4096```
This asks to enter a passphrase.
Next, create the server-side certificate, that will be sent via the TLS server to the client.
```openssl req -new -x509 -days 365 -key ca.key -out ca.crt```
You will be asked to answer a few questions.
### Create a client certificate
Create the key like previously:
```openssl genresa -des3 -out userA.key 4906```
Then create a Certificate Signing Request (CSR)
```openssl req -new -key userA.key -out userA.csr```
A number of questions should be answered also.
### Sign the CSRs
A CSR should be signed with the firstly created certificate (CA)
```openssl x509 -req -days 365 365 -in userA.csr -CA ca.crt -CAkey ca.key -set_serial01 -out userA.cert```
#### Create a PFX file
For the browser option the signed certificate must be made installable in
a way the public key and the certificate of the client are bundled.
```openssl pkcs12 -export -out userA.pfx -inkey userA.key -in user.crt --certfile ca.crt```
This will ask to provide an export password.
This generates userA.pfx file, that can be imported into web browser.
### Configure nginx
Adjust the server block in ```/etc/nginx/sites-enabled/default```:
```
server {
# Other Config
# ...
ssl_client_certificate /etc/ssl/ca.crt;
ssl_verify_client optional;
ssl_verify_depth 2;
location ~* /.well-known/csaf/(red|green|amber)/{
autoindex on;a
if ($ssl_client_verify != SUCESS){
retrun 403;
}
}
}
```
This will restrict the access to the defined paths in the ```location``` directive to only authenticated client certificates.
Restart nginx with ```systemctl nginx restart``` to apply the changes.
To test this:
* From the browser after importing the ```userA.pfx``` and the navigation to the protected directories.
* With curl: ```curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key```.