No New Messages
author avatar
Syed Reza
1456992437544 NOTE

Nginx Client Cert Authentication Trouble?

If you're having trouble setting up Nginx client-side authentication, then most likely it is not your fault. The documentation on the matter is alarmingly sparse. What you'll find very often are tutorials that describe exactly what to do in the most frustrating manner possible.

A lot of these tutorials will be in form of blogs that contain interactive OpenSSL commands -- commands that require you type things into STDIN. No one wants to have to dig through OpenSSL documentation looking for options like passin, passout, and subj. Getting arguments in non-interactively is always preferable to getting arguments in by typing them in -- at least for the sake of a guide. While it is more secure to type in passphrases than to have them in the argument or in a file, exceptions can be made for the sake of demonstration and automation. In using a passphrase, you can use a file type argument, restricting access to the file as desired.

If a tutorial is describing a long multi-step process, and ultimately demonstrates how something works, couldn't this be better achieved by a script? If I want a client cert signed by an intermediate CA which is signed by the root CA, that's 3 steps each of which contains sub-steps. If you present the user with a walk-through consisting of interactive commands that they have to type in sequence, they are not going to be happy when some step in the middle needs to be changed. When these steps are automated, the user is free to inject steps and alter steps without much strain to their fingers and without much loss of patience.

Getting back to the matter. Nginx is capable of checking the validity of the client certificate. To see how this is done, I've created a quick script, which sets up a CA, an intermediate CA, and two clients -- one signed by the root CA and another signed by the intermediate CA. The clients can successfully make requests to the Nginx test server if and only if they provide a certificate that is signed by the root client CA. To see how it is done see the Github repository linked below.

Nginx Client Verification Test