Client authentication using self signed ssl certificate for nginx

8
votes

I am hosting a nginx webserver in my LAN and I want to authenticate client who are accessing my server with ssl client certificate.I generated a self signed SSL certificate and one client certificate following some documents on google. But I am unable to authenticate client who has certificate. I am getting the following errors

When requested from Firefox:

2017/08/10 18:30:13 [info] 8994#0: *4 client sent no required SSL certificate while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls1/master.m3u8 HTTP/1.1", host: "192.168.26.43"

When request using curl: curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://192.168.26.43/hls2/master.m3u8

2017/08/10 18:30:33 [info] 8994#0: *5 client SSL certificate verify error: (18:self signed certificate) while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls2/master.m3u8 HTTP/1.1", host: "192.168.26.43"

So,my question is can I use self-signed certificate to authenticate client?If so, can anyone provide the steps to achieve this?

2
authenticationsslnginxhttps

2 Answers

30
votes

I just stumbled over this and discovered a small pitfall which caused the same error you encountered:

error 18 at 0 depth lookup: self signed certificate

There are plenty of guides how to create a self signed client certificate, I used the following (adapted from here):

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

# Convert to .p12 so import in OSX works
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "MyKey"

However, if you use the same Organization Name (eg, company) for both your ca and your client certificate, you will see above error! (edited: important)

If openssl verify -verbose -CAfile ca.crt client.crt does not complain about a self-signed certificate, you're good to go.

1
votes

The server has to trust the client certificate. In the case of a self-signed certificate, that means the certificate has to be exported from the client's keystore and imported into the server's truststore.

When the server asks for the client certificate, it also sends a list of trusted signers, and the client is only allowed to send a certificate which is ultimately signed by one of those signers. As the server didn't know about the self-signed client certificate, it didn't include that as a trusted signer, so the client was unable to send its certificate. Hence client sent no required SSL certificate while reading client request headers.