SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 05:40:11 +01:00
Code Issues Releases Activity Actions
gocsaf/docs/client-certificate-setup.md
Fadi Abbud 078ccdbd69 Fix Typo
2022-02-09 16:30:32 +01:00

2.4 KiB
Raw Blame History

Client-Certificate based authentication

If the certificate Authority and user certificates are already present the steps of creating the certificate authority and client certificates can be skipped. The following is an example of creating them.

cd /etc/ssl

Create the Certificate Autority (CA)

Firstly, generate the CA:
openssl genrsa -aes256 -out ca.key 4096
This asks to enter a passphrase.
Next, create the server-side certificate, that will be sent via the TLS server to the client.
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You will be asked to answer a few questions.

Create a client certificate

Create the key like previously:
openssl genrsa -aes256 -out userA.key 4906
Then create a Certificate Signing Request (CSR)
openssl req -new -key userA.key -out userA.csr
A number of questions should be answered also.

Sign the CSRs

A CSR should be signed with the firstly created certificate (CA)
openssl x509 -req -days 365 365 -in userA.csr -CA ca.crt -CAkey ca.key -set_serial01 -out userA.cert

Create a PFX file

For the browser option the signed certificate must be made installable in a way the public key and the certificate of the client are bundled.
openssl pkcs12 -export -out userA.pfx -inkey userA.key -in user.crt --certfile ca.crt
This will ask to provide an export password.

This generates userA.pfx file, that can be imported into web browser.

Configure nginx

Adjust the server block in /etc/nginx/sites-enabled/default:

server {
    # Other Config
    # ...

    ssl_client_certificate /etc/ssl/ca.crt;
    ssl_verify_client optional;
    ssl_verify_depth 2;

    location ~* /.well-known/csaf/(red|green|amber)/{
        autoindex on;a
        if  ($ssl_client_verify != SUCCESS){
            return 403;
        }
    }

}

This will restrict the access to the defined paths in the location directive to only authenticated client certificates.

Restart nginx with systemctl nginx restart to apply the changes.

To test this:

  • From the browser after importing the userA.pfx and the navigation to the protected directories.
  • With curl: curl https://{serverURL}/.well-known/csaf/red/ --cert /etc/ssl/userA.crt --key /etc/ssl/userA.key.