Table of Contents

nginx Client Certificate Authentication

Create the CA

  1. Create Certificate Authority
    openssl genrsa -des3 -out ca.key
  2. Create CA certificate
    openssl req -new -x509 -days 1825 -key ca.key -out ca.crt

Create the user certificate

  1. On the client, create a user/client key
    openssl genrsa -des3 -out user.key 4096
  2. Create a Certificate Signing Request
    openssl req -new -key user.key -out user.csr
  3. Transfer the CSR to the CA host
  4. Sign the CSR
    openssl x509 -req -days 1825 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
  5. Transfer the ca.crt to the client
  6. Create a PKCS #12
    openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt
  7. Import the PKCS#12/.pfx to the client system

Set up nginx to accept certificates signed by the CA

  1. Insert this into the relevant server directive in conf.d/: 
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
ssl_verify_client optional;
  2. Insert this at the top of the relevant location directive:
    if ($ssl_client_verify != SUCCESS) {
        return 403;
      }
# Rest of location directive follows...

See also