Nginx client side certificate authentication

FAPM · Jul 21, 2015

Hi ALL ,

Question on certificate authentication on nginx

Currently, It's ok via openssl ...

But I would use certificates recognized by organizations (thawte etc ...).

But how can I filter based on certificates of my clients or my organization?

For if I authorize the CA of an organization (ex thawte) they will all be accepted? no?,

ALL Thx

Best regards

eva2000 · Jul 21, 2015

no idea about client site filtering of SSL certificates by CA organisations..

what usage case would you require such ?

FAPM · Jul 21, 2015

Hi eva2000,

In production, it is not recommended to use OpenSSL: - /

And necessarily, every company can apply for a certificate for authentication (eg comodo personal certificate authentication)

I prefer to authenticate a client or user certificate (/ secure zone), and even otp pam google authentificator more

eva2000 · Jul 21, 2015

FAPM said: ↑

In production, it is not recommended to use OpenSSL: - /
Click to expand...

not sure I understand ?

FAPM said: ↑

And necessarily, every company can apply for a certificate for authentication (eg comodo personal certificate authentication)

I prefer to authenticate a client or user certificate (/ secure zone), and even otp pam google authentificator more
Click to expand...

you'd have to elaborate as I don't quite understand authentication for what ? access to a web site served via nginx ?

edit: might need to use nginx variable ssl_verify_client Module ngx_http_ssl_module and ssl_client_certificate Module ngx_http_ssl_module options but I haven't done this myself

Syntax: ssl_verify_client on | off | optional | optional_no_ca;
Default:
ssl_verify_client off;
Context: http, server
Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable.

The optional parameter (0.8.7+) requests the client certificate and verifies it if the certificate is present.

The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification. The contents of the certificate is accessible through the $ssl_client_cert variable.
Click to expand...

FAPM · Jul 21, 2015

eva2000 said: ↑

you'd have to elaborate as I don't quite understand authentication for what ? access to a web site served via nginx ?
Click to expand...

Access to a web site nginx server via certificate and google authentificator

eva2000 said: ↑

not sure I understand ?
Click to expand...

For business, not personal

eva2000 · Jul 21, 2015

Might need to use nginx variable ssl_verify_client Module ngx_http_ssl_module and ssl_client_certificate Module ngx_http_ssl_module options but I haven't done this myself so you'd be on your own.

Syntax: ssl_verify_client on | off | optional | optional_no_ca;
Default:
ssl_verify_client off;
Context: http, server
Enables verification of client certificates. The verification result is stored in the $ssl_client_verify variable.

The optional parameter (0.8.7+) requests the client certificate and verifies it if the certificate is present.

The optional_no_ca parameter (1.3.8, 1.2.5) requests the client certificate but does not require it to be signed by a trusted CA certificate. This is intended for the use in cases when a service that is external to nginx performs the actual certificate verification. The contents of the certificate is accessible through the $ssl_client_cert variable.
Click to expand...

Syntax: ssl_client_certificate file;
Default: —
Context: http, server
Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled.

The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used.
Click to expand...

FAPM · Jul 21, 2015

thank you eva2000

I'll test: ssl_client_certificate file

It works with ssl_verify_client via certificate is self-signed

I have not yet tested with: ssl_client_certificate file

apparently, I must add the certificate to a file

You are very reactive on this forum, it is really very aprciable

eva2000 · Jul 21, 2015

I try

for more complex nginx configurations like this also ask on official Nginx forums at Nginx Forum :: Nginx Mailing List - English

Log in / Register

Forums

Want more timely Centmin Mod News Updates?

Nginx client side certificate authentication

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Want more timely Centmin Mod News Updates?

Nginx client side certificate authentication

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

FAPM Member

eva2000 Administrator Staff Member

.