Learn about Centmin Mod LEMP Stack today
Register Now

Nginx client side certificate authentication

Discussion in 'Nginx, PHP-FPM & MariaDB MySQL' started by FAPM, Jul 21, 2015.

  1. FAPM

    FAPM Member

    58
    4
    8
    Jul 16, 2015
    Ratings:
    +6
    Local Time:
    7:55 AM
    1.9.2
    10.0.20
    Hi ALL :),

    Question on certificate authentication on nginx

    Currently, It's ok via openssl ...

    But I would use certificates recognized by organizations (thawte etc ...).

    But how can I filter based on certificates of my clients or my organization?

    For if I authorize the CA of an organization (ex thawte) they will all be accepted? no?,

    ALL Thx;)

    Best regards
     
  2. eva2000

    eva2000 Administrator Staff Member

    28,988
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,767
    Local Time:
    3:55 PM
    Nginx 1.13.x
    MariaDB 5.5
    no idea about client site filtering of SSL certificates by CA organisations..

    what usage case would you require such ?
     
  3. FAPM

    FAPM Member

    58
    4
    8
    Jul 16, 2015
    Ratings:
    +6
    Local Time:
    7:55 AM
    1.9.2
    10.0.20
    Hi eva2000,

    In production, it is not recommended to use OpenSSL: - /

    And necessarily, every company can apply for a certificate for authentication (eg comodo personal certificate authentication)

    I prefer to authenticate a client or user certificate (/ secure zone), and even otp pam google authentificator more :)
     
  4. eva2000

    eva2000 Administrator Staff Member

    28,988
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,767
    Local Time:
    3:55 PM
    Nginx 1.13.x
    MariaDB 5.5
    not sure I understand ?
    you'd have to elaborate as I don't quite understand authentication for what ? access to a web site served via nginx ?

    edit: might need to use nginx variable ssl_verify_client Module ngx_http_ssl_module and ssl_client_certificate Module ngx_http_ssl_module options but I haven't done this myself

     
    Last edited: Jul 21, 2015
  5. FAPM

    FAPM Member

    58
    4
    8
    Jul 16, 2015
    Ratings:
    +6
    Local Time:
    7:55 AM
    1.9.2
    10.0.20
    Access to a web site nginx server via certificate and google authentificator
    For business, not personal
     
  6. eva2000

    eva2000 Administrator Staff Member

    28,988
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,767
    Local Time:
    3:55 PM
    Nginx 1.13.x
    MariaDB 5.5
    Might need to use nginx variable ssl_verify_client Module ngx_http_ssl_module and ssl_client_certificate Module ngx_http_ssl_module options but I haven't done this myself so you'd be on your own.

     
  7. FAPM

    FAPM Member

    58
    4
    8
    Jul 16, 2015
    Ratings:
    +6
    Local Time:
    7:55 AM
    1.9.2
    10.0.20
    thank you eva2000 :)

    I'll test: ssl_client_certificate file

    It works with ssl_verify_client via certificate is self-signed

    I have not yet tested with: ssl_client_certificate file

    apparently, I must add the certificate to a file :)

    You are very reactive on this forum, it is really very aprciable :)
     
    • Like Like x 1
  8. eva2000

    eva2000 Administrator Staff Member

    28,988
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,767
    Local Time:
    3:55 PM
    Nginx 1.13.x
    MariaDB 5.5