Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 31 Jul 2019 17:43:51 -0500
From:      Doug McIntyre <merlyn@geeks.org>
To:        FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: OpenSSL client certificates
Message-ID:  <20190731224351.GA67809@geeks.org>
In-Reply-To: <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info>
References:  <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote:
> I have a Lets Encrypt certificate my app uses for the clients to validate me.  However, I need to be able to validate the client's identity using a client certificate.  Lets Encrypt certificates can not be used to create client certificates.  So I need to be able to use a self-signed certificate for the client certificate validation.  I have been digging around through nginx code to see what I could find, but I am not sure it does that either.  Any ideas on how to do this with openssl?


How are you validating a clients identity? Through a web page?
An email? Logged into a shell?

Openssl is a command line tool to manipulate/create/change SSL certs. It can be used
to setup your own PKI infrastructure (although it is fairly fugly in how to do it).

Google "Setup PKI with openssl" and you'll get 1000s of articles. Most poor.

If you want to validate your clients connecting to a web page (since
you mention nginx), you can do google searches for "SSL client
authentication with nginx" and get pages like
https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
which is what I think you are trying to do.


I'm sure there are hundreds of other pages out there for Apache and
Nginx dealing with the subject. I've never really seen people really
enjoy the experience of doing client-side web authentication though. 

The new hotness is webauthn and a security dongle.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20190731224351.GA67809>