From owner-freebsd-questions@freebsd.org Wed Jul 31 22:51:26 2019 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 219A4AA721 for ; Wed, 31 Jul 2019 22:51:26 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (mail.geeks.org [IPv6:2001:4980:3333:1::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 45zTDs4nxpz4SDK for ; Wed, 31 Jul 2019 22:51:25 +0000 (UTC) (envelope-from merlyn@geeks.org) Received: from mail.geeks.org (localhost [127.0.0.1]) by after-clamsmtpd.geeks.org (Postfix) with ESMTP id 1E49711021E for ; Wed, 31 Jul 2019 17:43:52 -0500 (CDT) Received: by mail.geeks.org (Postfix, from userid 1003) id E914511021D; Wed, 31 Jul 2019 17:43:51 -0500 (CDT) Date: Wed, 31 Jul 2019 17:43:51 -0500 From: Doug McIntyre To: FreeBSD Questions Subject: Re: OpenSSL client certificates Message-ID: <20190731224351.GA67809@geeks.org> References: <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info> User-Agent: Mutt/1.10.1 (2018-07-13) X-Virus-Scanned: ClamAV using ClamSMTP X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 31 Jul 2019 22:51:26 -0000 On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote: > I have a Lets Encrypt certificate my app uses for the clients to validate me. However, I need to be able to validate the client's identity using a client certificate. Lets Encrypt certificates can not be used to create client certificates. So I need to be able to use a self-signed certificate for the client certificate validation. I have been digging around through nginx code to see what I could find, but I am not sure it does that either. Any ideas on how to do this with openssl? How are you validating a clients identity? Through a web page? An email? Logged into a shell? Openssl is a command line tool to manipulate/create/change SSL certs. It can be used to setup your own PKI infrastructure (although it is fairly fugly in how to do it). Google "Setup PKI with openssl" and you'll get 1000s of articles. Most poor. If you want to validate your clients connecting to a web page (since you mention nginx), you can do google searches for "SSL client authentication with nginx" and get pages like https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/ which is what I think you are trying to do. I'm sure there are hundreds of other pages out there for Apache and Nginx dealing with the subject. I've never really seen people really enjoy the experience of doing client-side web authentication though. The new hotness is webauthn and a security dongle.