SystemSh0cker/gocsaf
1
0
Fork 0
mirror of https://github.com/gocsaf/csaf.git synced 2025-12-22 11:55:40 +01:00
Code Issues Releases Activity Actions
gocsaf/docs/client-certificate-setup.md
Bernhard Reiter f04473874a
Improve client cert setup instructions 
* Rephrase slightly and add hint that the issuer config
   will be checked against the `$ssl_client_i_dn` variable, so the
   example serves both uses.

resolve #46
2022-04-13 11:53:21 +02:00

3 KiB
Raw Blame History

Client-Certificate based authentication

Assuming the userA.pfx file is available, which can be imported into a web browser.

Configure nginx

Assuming the relevant server block is in /etc/nginx/sites-enabled/default and the CA used to verify the client certificates is under /etc/ssl/, adjust the content of the server{} block like shown in the following example:

        ssl_client_certificate '${SSL_CLIENT_CERTIFICATE}'; # e.g. ssl_client_certificate /etc/ssl/rootca-cert.pem;
        ssl_verify_client optional;
        ssl_verify_depth 2;

        # This example allows access to all three TLP locations for all certs.
        location ~ /.well-known/csaf/(red|green|amber)/{
            # For atomic directory switches
            disable_symlinks off;
            autoindex on;
            # in this location access is only allowed with client certs
            if  ($ssl_client_verify != SUCCESS){
                # we use status code 404 == "Not Found", because we do not
                # want to reveal if this location exists or not.
                return 404;
            }
       }

This will restrict the access to the defined paths in the location directive to only authenticated client certificates issued by the CAs which are configured with ssl_client_certificate.

If you want to restrict each path of green, amber and red differently, you could use several location blocks each which a single if that matches the $ssl_client_i_dn variable to CAs that you would want to allow for that location.

If you want to restrict the writing permission and access to the web-interface of the csaf_provider to only some TLS client certificates, the CA issuer of these certificates should be assigned to the issuer config option in the /user/lib/csaf/config.toml file e.g. issuer = "C=DE,O=CSAF Tools Development (internal),CN=Tester" . The value will be checked against the $ssl_client_i_dn variable within the csaf_provider. To inspect the precise string of certain certificate, try it and check the logged value in the nginx log file, e.g. /var/log/nginx/error.log.

Reload or restart nginx to apply the changes (e.g. systemctl reload nginx on Debian or Ubuntu.)

To test this see development-client-certs.md and

  • From the browser after importing the testclient1.p12: nagivate to the protected directories.
  • With curl: curl https://{serverURL}/.well-known/csaf/red/ --cert-type p12 --cert testclient1.p12. (If the server uses a root certifcate that is not in the default certificate store one of the following options should be added to the curl command:
    • --insecure to disable the verification,
    • --cacert {CA-Certificate-File} to pass the CA-Certificate that verifies the server).