From ef402259a119086ace3413bc38ca552dc0c5981c Mon Sep 17 00:00:00 2001
From: Bernhard Reiter <bernhard@intevation.de>
Date: Mon, 14 Feb 2022 13:24:22 +0100
Subject: [PATCH] Improve client cert setup

 * remove cert creation, as it will be described in a different
   file.
---
 docs/client-certificate-setup.md | 47 ++++++--------------------------
 1 file changed, 8 insertions(+), 39 deletions(-)

diff --git a/docs/client-certificate-setup.md b/docs/client-certificate-setup.md
index dbc1c9f..e996e5b 100644
--- a/docs/client-certificate-setup.md
+++ b/docs/client-certificate-setup.md
@@ -1,42 +1,11 @@
-## Client-Certificate based authentication
+# Client-Certificate based authentication
 
-If the certificate Authority and user certificates are already present the steps of creating the certificate authority and client certificates can be skipped.
-The following is an example of creating them.
+Assuming the userA.pfx file is available, which can be imported into
+a web browser.
 
-```bash
-cd /etc/ssl
-```
-### Create the Certificate Autority (CA)
-
-Firstly, generate the CA:      
-```openssl genrsa -aes256 -out ca.key 4096```          
-This asks to enter a passphrase.       
-Next, create the server-side certificate, that will be sent via the TLS server to the client.             
-```openssl req -new -x509 -days 365 -key ca.key -out ca.crt```       
-You will be asked to answer a few questions.
-
-### Create a client certificate
-
-Create the key like previously:              
-```openssl genrsa -aes256 -out userA.key 4906```               
-Then create a Certificate Signing Request (CSR)                   
-```openssl req -new -key userA.key -out userA.csr```                
-A number of questions should be answered also.
-
-### Sign the CSRs
-A CSR should be signed with the firstly created certificate (CA)                              
-```openssl x509 -req -days 365 365 -in userA.csr -CA ca.crt -CAkey ca.key -set_serial01 -out userA.cert```
-
-#### Create a PFX file
-For the browser option the signed certificate must be made installable in
-a way the public key and the certificate of the client are bundled.                    
-```openssl pkcs12 -export -out userA.pfx -inkey userA.key -in user.crt --certfile ca.crt```                
-This will ask to provide an export password.      
-
-This generates userA.pfx file, that can be imported into web browser.
-
-### Configure nginx                            
-Adjust the server block in ```/etc/nginx/sites-enabled/default```:
+### Configure nginx
+Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`,
+adjust it like show in the following example:
 
 ```
 server {
@@ -58,10 +27,10 @@ server {
 ```
 This will restrict the access to the defined paths in the ```location``` directive  to only authenticated client certificates.
 
-Restart nginx with ```systemctl nginx restart``` to apply the changes.
+Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
+on Debian or Ubuntu.)
 
 To test this:
 * From the browser after importing the ```userA.pfx``` and the navigation to the protected directories.
 * With curl: ```curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key```.
 
-