# Client-Certificate based authentication

Assuming the userA.pfx file is available, which can be imported into
a web browser.

### Configure nginx
Assuming the relevant server block is in `/etc/nginx/sites-enabled/default` and the CA used to verify the client certificates is under `/etc/ssl/`,
adjust the content of the `server{}` block like shown in the following example:
<!-- MARKDOWN-AUTO-DOCS:START (CODE:src=../docs/scripts/TLSClientConfigsForITest.sh&lines=25-40) -->
<!-- The below code snippet is automatically added from ../docs/scripts/TLSClientConfigsForITest.sh -->
```sh
        ssl_client_certificate '${SSL_CLIENT_CERTIFICATE}'; # e.g. ssl_client_certificate /etc/ssl/rootca-cert.pem;
        ssl_verify_client optional;
        ssl_verify_depth 2;

        # This example allows access to all three TLP locations for all certs.
        location ~ /.well-known/csaf/(red|green|amber)/{
            # For atomic directory switches
            disable_symlinks off;
            autoindex on;
            # in this location access is only allowed with client certs
            if  ($ssl_client_verify != SUCCESS){
                # we use status code 404 == "Not Found", because we do not
                # want to reveal if this location exists or not.
                return 404;
            }
       }
```
<!-- MARKDOWN-AUTO-DOCS:END -->

This will restrict the access to the defined paths in the ```location```
directive to only authenticated client certificates issued by the CAs
which are configured with `ssl_client_certificate`.

If you want to restrict each path of `green`, `amber` and `red`
differently, you could use several location blocks
each which a single `if` that matches the `$ssl_client_i_dn` variable
to CAs that you would want to allow for that location.

If you want to restrict the writing permission and access to the web-interface
of the `csaf_provider` to only some TLS client certificates,
the CA issuer of these certificates should be assigned to the `issuer`
config option in the `/user/lib/csaf/config.toml` file
e.g. `issuer = "C=DE,O=CSAF Tools Development (internal),CN=Tester" `.
The value will be checked against the `$ssl_client_i_dn` variable
within the `csaf_provider`.
To inspect the precise string of certain certificate, try it and
check the logged value in the nginx log file, e.g. `/var/log/nginx/error.log`.

Reload or restart nginx to apply the changes (e.g. `systemctl reload nginx`
on Debian or Ubuntu.)

To test this see [development-client-certs.md](development-client-certs.md) and
* From the browser after importing the `testclient1.p12`:
nagivate to the protected directories.
* With curl: `curl https://{serverURL}/.well-known/csaf/red/ --cert-type p12 --cert testclient1.p12`.
(If the server uses a root certifcate that is not in the default certificate store one of the following options should be added to the `curl` command:
    * `--insecure` to disable the verification,
    * `--cacert {CA-Certificate-File}` to pass the CA-Certificate that verifies the server).