Configure nginx for client certificate authentication

README.md

@@ -17,6 +17,7 @@
 
 - [Install](http://nginx.org/en/docs/install.html)  **nginx**
 - To configure nginx see [docs/provider-setup.md](docs/provider-setup.md)
+- To configure nginx for client certificate authentication see [docs/client-certificate-setup.md](docs/client-certificate-setup.md)
 
 ## csaf_uploader
 csaf_uploader is a command line tool that uploads CSAF documents to the trusted provider (CSAF_Provider).

docs/client-certificate-setup.md

@@ -0,0 +1,67 @@
+## Client-Certificate based authentication
+
+If the certificate Authority and user certificates are already present the steps of creating the certificate authority and client certificates can be skipped.
+The following is an example of creating them.
+
+```bash
+cd /etc/ssl
+```
+### Create the Certificate Autority (CA)
+
+Firstly, generate the CA:      
+```openssl genrsa -des3 -out ca.key 4096```          
+This asks to enter a passphrase.       
+Next, create the server-side certificate, that will be sent via the TLS server to the client.             
+```openssl req -new -x509 -days 365 -key ca.key -out ca.crt```       
+You will be asked to answer a few questions.
+
+### Create a client certificate
+
+Create the key like previously:              
+```openssl genresa -des3 -out userA.key 4906```               
+Then create a Certificate Signing Request (CSR)                   
+```openssl req -new -key userA.key -out userA.csr```                
+A number of questions should be answered also.
+
+### Sign the CSRs
+A CSR should be signed with the firstly created certificate (CA)                              
+```openssl x509 -req -days 365 365 -in userA.csr -CA ca.crt -CAkey ca.key -set_serial01 -out userA.cert```
+
+#### Create a PFX file
+For the browser option the signed certificate must be made installable in
+a way the public key and the certificate of the client are bundled.                    
+```openssl pkcs12 -export -out userA.pfx -inkey userA.key -in user.crt --certfile ca.crt```                
+This will ask to provide an export password.      
+
+This generates userA.pfx file, that can be imported into web browser.
+
+### Configure nginx                            
+Adjust the server block in ```/etc/nginx/sites-enabled/default```:
+
+```
+server {
+    # Other Config
+    # ...
+
+    ssl_client_certificate /etc/ssl/ca.crt;
+    ssl_verify_client optional;
+    ssl_verify_depth 2;
+
+    location ~* /.well-known/csaf/(red|green|amber)/{
+        autoindex on;a
+        if  ($ssl_client_verify != SUCESS){
+            retrun 403;
+        }
+    }
+
+}
+```
+This will restrict the access to the defined paths in the ```location``` directive  to only authenticated client certificates.
+
+Restart nginx with ```systemctl nginx restart``` to apply the changes.
+
+To test this:
+* From the browser after importing the ```userA.pfx``` and the navigation to the protected directories.
+* With curl: ```curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key```.
+
+