OpenSSL client certificates
bc979 at lafn.org
Thu Aug 1 01:12:54 UTC 2019
> On 31 July 2019, at 15:43, Doug McIntyre <merlyn at geeks.org> wrote:
> On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote:
>> I have a Lets Encrypt certificate my app uses for the clients to validate me. However, I need to be able to validate the client's identity using a client certificate. Lets Encrypt certificates can not be used to create client certificates. So I need to be able to use a self-signed certificate for the client certificate validation. I have been digging around through nginx code to see what I could find, but I am not sure it does that either. Any ideas on how to do this with openssl?
> How are you validating a clients identity? Through a web page?
> An email? Logged into a shell?
This is all in an application for this specific use. Both the client and server are written by me. I have seen that page you reference below and that leads me to believe nginx has solved the problem. I just haven't been able to figure out where or how they do it in the code. I have been able to get the server to use the validation callback to let me validate the certificate parameters. It's not perfect as I haven't figured out how to verify the certificate is valid yet. I can get the fields I need from it for the application.
The vast majority of the clients will be using cell phones. Dongles are just not practical. The clients won't use them. A one-time store of the certificate in the phone is better than passwords which they never remember or use such trivial ones that it is not effective.
> Openssl is a command line tool to manipulate/create/change SSL certs. It can be used
> to setup your own PKI infrastructure (although it is fairly fugly in how to do it).
> Google "Setup PKI with openssl" and you'll get 1000s of articles. Most poor.
> If you want to validate your clients connecting to a web page (since
> you mention nginx), you can do google searches for "SSL client
> authentication with nginx" and get pages like
> which is what I think you are trying to do.
> I'm sure there are hundreds of other pages out there for Apache and
> Nginx dealing with the subject. I've never really seen people really
> enjoy the experience of doing client-side web authentication though.
> The new hotness is webauthn and a security dongle.
> freebsd-questions at freebsd.org mailing list
> To unsubscribe, send any mail to "freebsd-questions-unsubscribe at freebsd.org"
More information about the freebsd-questions