1

I've registered on startssl.com and so retrivied 4 files for my domain:

  • ssl.key - the private key file
  • ssl.crt - the certificate file
  • ca.pem - Root CA
  • sub.class1.server.ca.pem - Class 1 Intermediate Server CA certificate

to remove password i did:

openssl rsa -in ssl.key -out ssl.key.nopwd

Then, I set up my nginx config:

server {
    listen 443 ssl;
    ssl on;

    ssl_certificate /etc/nginx/ssl/ssl.crt;
    ssl_certificate_key /etc/nginx/ssl/ssl.key.nopwd;
    keepalive_timeout 70;
    fastcgi_param SSL_VERIFIED $ssl_client_verify;
    fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;
    fastcgi_param SSL_CLIENT_CERT $ssl_client_cert;
    fastcgi_param SSL_DN $ssl_client_s_dn;

    server_name ***;
    root /var/www/***;
}

After nginx restarted I can successfully enter to my site via https. But now I want to secure my site and give access to it only with certificate, installed in a client browser. As I understand I must setup it in nginx config:

ssl_client_certificate    etc/nginx/ssl/[WHAT_SHOULD_BE_HERE?]
ssl_verify_client         on;

But what file should I point to? How can I generate a client certificate from the server one?

folibis
  • 149
  • 6

1 Answers1

1

Please have a look at this answer. But here is the short version of what needs to happen:

  1. Using ssl.crt as is is not good enough, you should concatenate ssl.crt + intermediate CA(s) + Root CA (in this order) into a single file and use this file in ssl_certificate statement.

  2. You need to consolidate Intermediate CA(s) + Root CA of your CLIENT certificate in a single file and adding it in ssl_client_cerificate statement.

  3. Optional but highly recommended, set up rule what client certificate subject names you require (i.e. CN, O, OU, DC, etc.) by analyzing $ssl_client_s_dn variable.

  4. It is also highly recommended to enable OSCP stapling by combining Intermediate CA(s) + Root CA of your SERVER and adding it to ssl_trusted_certificate statement as follows:

    ssl_trusted_certificate /etc/nginx/ssl/ocsp-chain.crt;
ssl_stapling on;
ssl_stapling_verify on;

  5. You may also want to pass certificate info to your fastcgi module:

    ...
fastcgi_param   VERIFIED $ssl_client_verify;
fastcgi_param   DN $ssl_client_s_dn;
...
Community
  • 1
dtoubelis
  • 4,677
  • 1
  • 29
  • 32
  • ok I did `cat ssl.crt sub.class1.server.ca.pem ca.pem > server.crt` and updated nginx config with `ssl_certificate /etc/nginx/ssl/server.crt;`. Also I did `cat sub.class1.server.ca.pem ca.pem > client.crt` and so updated nginx config with `ssl_client_certificate /etc/nginx/ssl/client.crt;`. To the config file I've added `ssl_verify_client on;` But now I get error: `400 Bad Request The SSL certificate error` in the biowser while trying to connect. Didi I miss something? – folibis Nov 27 '15 at 05:41
  • You messed up the client certificate - you put there chain from your server certificate but the `client.crt` should contain CA chain of your client certificate. If it is self signed then it has to be the client certificate itself. – dtoubelis Nov 28 '15 at 04:18
  • still can't catch that. all I have are these 4 files from startssl and all I need is to make secure connection with a certificate to nginx site. Should I create a client certificate from the server one? Or I need to create a certificate with openssl and then sign it with server the server one? I'm really confused – folibis Nov 30 '15 at 00:22
  • How did you create the client certificate? – dtoubelis Dec 01 '15 at 00:29