OpenSSL client certificates

[Doug Hardie]

-- Doug

> On 31 July 2019, at 15:43, Doug McIntyre <merlyn at geeks.org> wrote:
> 
> On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote:
>> I have a Lets Encrypt certificate my app uses for the clients to validate me.  However, I need to be able to validate the client's identity using a client certificate.  Lets Encrypt certificates can not be used to create client certificates.  So I need to be able to use a self-signed certificate for the client certificate validation.  I have been digging around through nginx code to see what I could find, but I am not sure it does that either.  Any ideas on how to do this with openssl?
> 
> 
> How are you validating a clients identity? Through a web page?
> An email? Logged into a shell?

This is all in an application for this specific use.  Both the client and server are written by me.  I have seen that page you reference below and that leads me to believe nginx has solved the problem.  I just haven't been able to figure out where or how they do it in the code.  I have been able to get the server to use the validation callback to let me validate the certificate parameters.  It's not perfect as I haven't figured out how to verify the certificate is valid yet.  I can get the fields I need from it for the application.

The vast majority of the clients will be using cell phones.  Dongles are just not practical.  The clients won't use them.  A one-time store of the certificate in the phone is better than passwords which they never remember or use such trivial ones that it is not effective.

> 
> Openssl is a command line tool to manipulate/create/change SSL certs. It can be used
> to setup your own PKI infrastructure (although it is fairly fugly in how to do it).
> 
> Google "Setup PKI with openssl" and you'll get 1000s of articles. Most poor.
> 
> If you want to validate your clients connecting to a web page (since
> you mention nginx), you can do google searches for "SSL client
> authentication with nginx" and get pages like
> https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/
> which is what I think you are trying to do.
> 
> 
> I'm sure there are hundreds of other pages out there for Apache and
> Nginx dealing with the subject. I've never really seen people really
> enjoy the experience of doing client-side web authentication though. 
> 
> The new hotness is webauthn and a security dongle.
> _______________________________________________
> freebsd-questions at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"