0

I have a small nginx web server setup at my house, and access to a CAC and reader. the CAC already has public/private x.509 certificates loaded on it. I can export the certificates no problem. I'm trying to figure out how to store the public certificate on the server, then when the user attempts to access the website, the server can use the public cert to authenticate them. Every guide that I've come across so far talks about using a certificate authority and private key.

  • I have the CA.pem that goes with my CAC, but I cannot get the private-key.pem that goes with that CA file.
  • Is there a way to setup a directory that nginx checks for multiple certs, instead of just one, again without needing the private key.
  • This has to be done with nginx, can't use Apache.

Is this even possible? I'm very new to the whole webserver configuration piece.

joel
  • 26
  • 2
  • The private key of a CA is **very** secret and the clients and servers never need to see it. Client authentication with `nginx` requires a list of one (or more) CA certificates concatenated into a single file pointed to by the `ssl_client_certificate` directive and setting `ssl_verify_client on;`. – Richard Smith Jan 25 '18 at 11:16
  • @RichardSmith if I'm understanding you correctly, I don't need the private key at all? – joel Jan 25 '18 at 14:17
  • You only need the CA key to sign new certificates (client or server) issued by that CA, and to modify a certificate revocation list (CRL) fot that CA. If you aren't going issue or revoke any subs. certs, then yes you can throw away the key. Not a bad idea in a small setup where reissuing all certs with a new CA would be a simple operation. – Craig Hicks Apr 20 '18 at 22:53

0 Answers0