I am trying to set up ssl client authentication. I am using startssl as a CA if that makes any difference. I obtained a root certificate, an intermediate certificate, and a client certificate from startssl. I also have several s/mime certificates for authentication against the startssl website. What I am trying to accomplish is to have client certificate authentication for my own site. Everything works using self signed certificates, but using the signed certs I get confused.
I have the following files from startssl:
root.crt
intermediate.crt
ssl.crt
ssl.key
----------------
user@host-client.crt <- for authenticating against startssl
Then for nginx I run:
cat ssl.crt intermediate.crt root.crt > unified.crt
Then in nginx:
server {
listen 443;
ssl on;
server_name example.com;
ssl_certificate /etc/nginx/certs/unified.crt;
ssl_certificate_key /etc/nginx/certs/ssl.key;
ssl_client_certificate /etc/nginx/certs/<WHAT GOES HERE>;
ssl_verify_client on;
location / {
root /var/www/example.com/html;
}
}
I'm not sure what to use as for ssl_client_certificate if I want to use the startssl s/mime cert, or if that is even possible.
If I can't use the startssl s/mime cert: in a tutorial like this what would I use as ca.key and ca.crt (possibly the unified ssl?).
In either case, how do I determine the ssl_verify_depth? I have found many examples of how to do this with self signed keys, but as far as using a signed key chain, my understanding starts to lag. Thanks for any help!
