Why?

CACert

The Web of Trust We Trust

CACert?

• Community-Driven Certificate Authority
• Non-Profit
• 24. July 2003
• 267369 Nutzer
• 5850 Assurer

Client Side Certificates

nginx, Rails

server config

server {
  # …
  # CA = certificate authority
  ssl_client_certificate path/certificate_authority.crt;
  # ssl_verify_client [on, off, optional, optional_no_ca]
  ssl_verify_client optional;
  # …
}
            

proxy config

# serial number
proxy_set_header SSL-client-serial $ssl_client_serial;
# subject distinguished name
proxy_set_header SSL-client-dn $ssl_client_s_dn;
# “SUCCESS”, “FAILED”, or “NONE” if a certificate was not present;
proxy_set_header SSL-client-verify $ssl_client_verify;
            

…demo…

I'm-Awesome-CA

…in progress…

certificate authority

# generate authority
openssl genrsa -out certificate_authority.key 4096
openssl req -new -x509 -days 365 -key certificate_authority.key -out certificate_authority.crt
            

self signed server crt

# generate server
openssl genrsa -out server.key 1024
openssl req -new -key server.key -out server.csr -subj '/CN=localhost'
openssl x509 -req -days 365 -in server.csr -CA certificate_authority.crt -CAkey certificate_authority.key -set_serial 01 -out server.crt
            

and client?

…demo…

Q&A

Thanks

ben.rexin.at/clientcert-slide

Source/Further

• CACert Statistics
• CACert Wiki
• nginx ssl module variables
• CACert Apache Server Client Certificate Authentication