====== nginx Client Certificate Authentication ======
==== Create the CA ====
  - Create Certificate Authority \\ ''openssl genrsa -des3 -out ca.key''
  - Create CA certificate \\ ''openssl req -new -x509 -days 1825 -key ca.key -out ca.crt''

==== Create the user certificate ====
  - On the client, create a user/client key \\ ''openssl genrsa -des3 -out user.key 4096''
  - Create a Certificate Signing Request \\ ''openssl req -new -key user.key -out user.csr''
  - Transfer the CSR to the CA host
  - Sign the CSR \\ ''openssl x509 -req -days 1825 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt''
  - Transfer the ca.crt to the client
  - Create a PKCS #12 \\ ''openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt''
  - Import the PKCS#12/.pfx to the client system

==== Set up nginx to accept certificates signed by the CA ====
  - Insert this into the relevant server directive in conf.d/: <code nginx>ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client optional;</code>
  - Insert this at the top of the relevant location directive:<code nginx>if ($ssl_client_verify != SUCCESS) {
        return 403;
      }
# Rest of location directive follows...</code>

===== See also =====
  * [[OpenSSL]]