From cbf39f9806ad2ae725234f1870608927d0ef88c4 Mon Sep 17 00:00:00 2001 From: Fadi Abbud Date: Tue, 22 Feb 2022 11:06:51 +0100 Subject: [PATCH] Documentation --- docs/client-certificate-setup.md | 2 ++ docs/development-client-certs.md | 5 +++++ 2 files changed, 7 insertions(+) diff --git a/docs/client-certificate-setup.md b/docs/client-certificate-setup.md index 558d63e..7a87455 100644 --- a/docs/client-certificate-setup.md +++ b/docs/client-certificate-setup.md @@ -37,6 +37,8 @@ differently, you could use several location blocks each which a single `if` that matches the `$ssl_client_i_dn` variable to CAs that you would want to allow for that location. +If you want to allow the access to the web-interface of the provider for some TLS client certificates, the CA issuer of these certificates should be assigned to the `issuer` key in the `/user/lib/csaf/config.toml` file. + Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx` on Debian or Ubuntu.) diff --git a/docs/development-client-certs.md b/docs/development-client-certs.md index 8763721..66108db 100644 --- a/docs/development-client-certs.md +++ b/docs/development-client-certs.md @@ -56,3 +56,8 @@ certtool --generate-certificate --load-privkey testclient2-key.pem --outfile tes certtool --load-ca-certificate rootca-cert.pem --load-certificate testclient2.crt --load-privkey testclient2-key.pem --to-p12 --p12-name "Test Client 2" --null-password --outder --outfile testclient2.p12 ``` +In case of many CAs are used to verify the client certificates these should be included in the list of the allowed CA certificates in the `ssl_client_certificate` bundle of nginx. + +E.g. `cat rootca-cert-1.pem rootca-cert-2.pem >> allowedCAs.pem`. Nginx config: `ssl_client_certificate allowedCAs.pem;` + +