Client Side Certificates

Don't trust me!

Why?

CACert

The Web of Trust We Trust

CACert?

  • Community-Driven Certificate Authority
  • Non-Profit
  • 24. July 2003
  • 267369 Nutzer
  • 5850 Assurer

Client Side Certificates

nginx, Rails

server config


server {
  # …
  # CA = certificate authority
  ssl_client_certificate path/certificate_authority.crt;
  # ssl_verify_client [on, off, optional, optional_no_ca]
  ssl_verify_client optional;
  # …
}
            

proxy config


# serial number
proxy_set_header SSL-client-serial $ssl_client_serial;
# subject distinguished name
proxy_set_header SSL-client-dn $ssl_client_s_dn;
# “SUCCESS”, “FAILED”, or “NONE” if a certificate was not present;
proxy_set_header SSL-client-verify $ssl_client_verify;
            

…demo…

I'm-Awesome-CA

…in progress…

s

certificate authority


# generate authority
openssl genrsa -out certificate_authority.key 4096
openssl req -new -x509 -days 365 -key certificate_authority.key -out certificate_authority.crt
            

self signed server crt


# generate server
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr -subj '/CN=localhost'
openssl x509 -req -days 365 -in server.csr -CA certificate_authority.crt -CAkey certificate_authority.key -set_serial 01 -out server.crt
            

and client?

…demo…

Q&A

Thanks

ben.rexin.at/clientcert-slide

Source/Further