SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 18:15:42 +01:00
Code Issues Releases Activity Actions

Improve client cert setup

Browse source 
* remove cert creation, as it will be described in a different
   file.
This commit is contained in:
Bernhard Reiter 2022-02-14 13:24:22 +01:00
parent 078ccdbd69
commit ef402259a1
No known key found for this signature in database
GPG key ID: 2B7BA3BF9BC3A554
1 changed files with 8 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

45
docs/client-certificate-setup.md
View file

@ -1,42 +1,11 @@
## Client-Certificate based authentication # Client-Certificate based authentication
If the certificate Authority and user certificates are already present the steps of creating the certificate authority and client certificates can be skipped. Assuming the userA.pfx file is available, which can be imported into
The following is an example of creating them. a web browser.
```bash
cd /etc/ssl
```
### Create the Certificate Autority (CA)
Firstly, generate the CA:
```openssl genrsa -aes256 -out ca.key 4096```
This asks to enter a passphrase.
Next, create the server-side certificate, that will be sent via the TLS server to the client.
```openssl req -new -x509 -days 365 -key ca.key -out ca.crt```
You will be asked to answer a few questions.
### Create a client certificate
Create the key like previously:
```openssl genrsa -aes256 -out userA.key 4906```
Then create a Certificate Signing Request (CSR)
```openssl req -new -key userA.key -out userA.csr```
A number of questions should be answered also.
### Sign the CSRs
A CSR should be signed with the firstly created certificate (CA)
```openssl x509 -req -days 365 365 -in userA.csr -CA ca.crt -CAkey ca.key -set_serial01 -out userA.cert```
#### Create a PFX file
For the browser option the signed certificate must be made installable in
a way the public key and the certificate of the client are bundled.
```openssl pkcs12 -export -out userA.pfx -inkey userA.key -in user.crt --certfile ca.crt```
This will ask to provide an export password.
This generates userA.pfx file, that can be imported into web browser.
### Configure nginx ### Configure nginx
Adjust the server block in ```/etc/nginx/sites-enabled/default```: Assuming the relevant server block is in `/etc/nginx/sites-enabled/default`,
adjust it like show in the following example:
``` ```
server { server {
@ -58,10 +27,10 @@ server {
``` ```
This will restrict the access to the defined paths in the ```location``` directive to only authenticated client certificates. This will restrict the access to the defined paths in the ```location``` directive to only authenticated client certificates.
Restart nginx with ```systemctl nginx restart``` to apply the changes. Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
on Debian or Ubuntu.)
To test this: To test this:
* From the browser after importing the ```userA.pfx``` and the navigation to the protected directories. * From the browser after importing the ```userA.pfx``` and the navigation to the protected directories.
* With curl: ```curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key```. * With curl: ```curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key```.