What is the best way to authenticate users with SSL certificates?

A

Alexander Kubintsev2015-02-12 10:34:19

Nginx

Alexander Kubintsev, 2015-02-12 10:34:19

In principle, I know the answer to the subject in the simplest form (openssl, nginx, etc.)
But either I can’t formulate a short question for Google, or one moment always remains behind the scenes.
A self-signed server certificate doesn't work for me. In theory, it turns out that in order to obtain a client certificate on a domain with a verified certificate, you need to have a CA key, which naturally no one will give.
So is there any way to get around this problem?
It is assumed that client certificates will be constantly added and used instead of a login and password to enter your personal account.

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

N

Nikolai Korabelnikov, 2015-02-12
@akubintsev

If you want to create user certificates yourself, then you must have the CA key. Otherwise, you won't be able to sign anything. Then your actions are as follows:
1. Create a CA key pair
2. Create a self-signed CA certificate
3. Indicate to the web server that this certificate is a CA certificate for user authentication (I don’t know how on nginx, I did it only on apache)
4. Create a key a pair of user (or he creates it himself) and generate a csr - a request for a certificate.
5. Issue a certificate by signing it with your CA.
openssl x509 -req -days 365 -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
where
ca.crt is the CA certificate from step 2
ca.key is the CA private key from step .one
client.csr - csr from item 4
client.crt - user certificate output file.
6. Install the resulting certificate to the user.
7. Set up the requirement for certificate authentication.
Don't forget to make an SSL certificate for the server itself.
You can deploy a full PKI to issue and manage user certificates. This, of course, will greatly simplify life.