-1

I need to implement secure access to the corporate site using SSL certificates. After long time of searching I've came to conclusion that there are 2 ways to do that:

  1. creating own self-signed root CA certificate, then creating key and certificate for a server (we use nginx) and so after that creating client certificates, signed with the self-signed root CA certificate.

  2. receiving a certificate and a key from Certificate Center (in owr case it was StartSSL).

in 1. there is a big problem - a client browser didn't accept this certificate and pop up a message.

in 2. there is another problem - browsers accept the certificate without problem but there is no way to sign a client certificate with it.

And so my question - how can I implement secure access to the site on nginx using certificates and how can I issue client certificates to access the site in right way?

folibis
  • 149
  • 6
  • This is almost certainly the wrong way to go about it. What is the problem you are having, that you want to solve using client certificates? – Jenny D Dec 02 '15 at 12:01
  • Also, have a look at http://security.stackexchange.com/questions/81814/easy-explanation-of-ssl-client-certificates-for-a-developer/84475#84475 for some issues about running your own CA vs accepting certificates issued by other CAs – Jenny D Dec 02 '15 at 12:02
  • @JennyD, why do you think it's wrong way? I need to provide access to the site for our managers. It should be secury. What another option can you suggest excapt certificates? – folibis Dec 02 '15 at 12:29
  • 1
    You are mixing encryption, authentication and authorization. In order to do this securely, you need to be the one in charge of the underlying PKI infrastructure, which is not just a can of worms but more like a can of Shai-Hulud. Or you could use SSL for encryption and have some other means of authentication/authorization and save yourself about a metric cloudload of trouble, which is what I would recommend. – Jenny D Dec 02 '15 at 12:37

1 Answers1

1

There is no problem #2.

If you're wanting to do certificate-based authentication, then you provide your public key, they provide their public key (where ever it has come from, which is irrelevant), and you each merrily go on your way.

If you just want to use regular SSL encryption (e.g. for HTTPS), then you get yourself a certificate signed by a CA that your users browsers trust (which is never self-signed). You install the certificate and its certificate chain into your server, and you move on with your life.

If this is a small installation, I would strongly suggest using the EFF's Let's Encrypt program (launching tomorrow, or if you're a visitor from the future, hopefully still launched).

Mark Henderson
  • 68,823
  • 31
  • 180
  • 259