client-cert-demo

A trivial dummy CA and client certificate authentication proxy demo

Generate some dummy keys and certs

Generate a dummy CA, client key+cert and server key+cert from scratch: clone this repo and run ./go.sh

Set up your browser for certificate based authentication

Import the dummy client certificate client/dummy-client.p12 to your browser. The password is secret. Don't tell anyone.

Eg. in Chrome: Settings > Advanced > HTTPS/SSL > Manage certificates > Import.

Set up an nginx reverse proxy to handle client certificate authentication

Create an nginx configuration package, nginx.tar: ./go.sh package

Copy the package to your server, install prerequisites, and deploy the config:

sudo apt-get update && sudo apt-get -y install openssl nginx
sudo tar oxvf nginx.tar -C /etc
sudo chmod 0600 /etc/nginx/ssl/dummy-server.key
sudo ln -s /etc/nginx/sites-available/nginx-client-auth.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo service nginx restart

The provided configuration sets up a reverse proxy to http://scooterlabs.com/echo

Try it

Fetch https://your.host/echo and inspect the result. If there was much success, the result should contain something like this:

    [headers] => Array
        (
            [X-Client-Cert-Verify] => SUCCESS
            [X-Client-Cert-Subject-DN] => /C=FI/ST=Helsinki/L=Dummy/O=Dummy/OU=IT/CN=Dummy Client
            [X-Client-Cert-Issuer-DN] => /C=FI/ST=Helsinki/L=Dummy/O=Dummy/OU=IT/CN=Dummy CA

TODO

CRL

Acknowledgements

This stuff is inspired by and mostly based on an article by Nate Good.

We're using Brian Cantoni's Echo Service to check our headers.

Much appreciated. Thanks!

Further reading

• On running your own Certificate Authority: https://jamielinux.com/blog/category/CA/