SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Documentation

Browse source
This commit is contained in:
Fadi Abbud 2022-02-22 11:06:51 +01:00
parent 9e422d5ad2
commit cbf39f9806
2 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/client-certificate-setup.md
View file

@ -37,6 +37,8 @@ differently, you could use several location blocks
each which a single `if` that matches the `$ssl_client_i_dn` variable each which a single `if` that matches the `$ssl_client_i_dn` variable
to CAs that you would want to allow for that location. to CAs that you would want to allow for that location.
If you want to allow the access to the web-interface of the provider for some TLS client certificates, the CA issuer of these certificates should be assigned to the `issuer` key in the `/user/lib/csaf/config.toml` file.
Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx` Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
on Debian or Ubuntu.) on Debian or Ubuntu.)

5
docs/development-client-certs.md
View file

@ -56,3 +56,8 @@ certtool --generate-certificate --load-privkey testclient2-key.pem --outfile tes
certtool --load-ca-certificate rootca-cert.pem --load-certificate testclient2.crt --load-privkey testclient2-key.pem --to-p12 --p12-name "Test Client 2" --null-password --outder --outfile testclient2.p12 certtool --load-ca-certificate rootca-cert.pem --load-certificate testclient2.crt --load-privkey testclient2-key.pem --to-p12 --p12-name "Test Client 2" --null-password --outder --outfile testclient2.p12
``` ```
In case of many CAs are used to verify the client certificates these should be included in the list of the allowed CA certificates in the `ssl_client_certificate` bundle of nginx.
E.g. `cat rootca-cert-1.pem rootca-cert-2.pem >> allowedCAs.pem`. Nginx config: `ssl_client_certificate allowedCAs.pem;`