Date: Wed, 31 Jul 2019 18:03:07 -0700 From: Doug Hardie <bc979@lafn.org> To: Doug McIntyre <merlyn@geeks.org> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: OpenSSL client certificates Message-ID: <CBF63387-2A5C-4096-8B8D-71CC634A3EAD@mail.sermon-archive.info> In-Reply-To: <20190731224351.GA67809@geeks.org> References: <6F225C67-4264-4E28-A1E2-69CDFE321B16@mail.sermon-archive.info> <20190731224351.GA67809@geeks.org>
next in thread | previous in thread | raw e-mail | index | archive | help
-- Doug > On 31 July 2019, at 15:43, Doug McIntyre <merlyn@geeks.org> wrote: >=20 > On Mon, Jul 29, 2019 at 06:11:59PM -0700, Doug Hardie wrote: >> I have a Lets Encrypt certificate my app uses for the clients to = validate me. However, I need to be able to validate the client's = identity using a client certificate. Lets Encrypt certificates can not = be used to create client certificates. So I need to be able to use a = self-signed certificate for the client certificate validation. I have = been digging around through nginx code to see what I could find, but I = am not sure it does that either. Any ideas on how to do this with = openssl? >=20 >=20 > How are you validating a clients identity? Through a web page? > An email? Logged into a shell? This is all in an application for this specific use. Both the client = and server are written by me. I have seen that page you reference below = and that leads me to believe nginx has solved the problem. I just = haven't been able to figure out where or how they do it in the code. I = have been able to get the server to use the validation callback to let = me validate the certificate parameters. It's not perfect as I haven't = figured out how to verify the certificate is valid yet. I can get the = fields I need from it for the application. The vast majority of the clients will be using cell phones. Dongles are = just not practical. The clients won't use them. A one-time store of = the certificate in the phone is better than passwords which they never = remember or use such trivial ones that it is not effective. >=20 > Openssl is a command line tool to manipulate/create/change SSL certs. = It can be used > to setup your own PKI infrastructure (although it is fairly fugly in = how to do it). >=20 > Google "Setup PKI with openssl" and you'll get 1000s of articles. Most = poor. >=20 > If you want to validate your clients connecting to a web page (since > you mention nginx), you can do google searches for "SSL client > authentication with nginx" and get pages like > = https://arcweb.co/securing-websites-nginx-and-client-side-certificate-auth= entication-linux/ > which is what I think you are trying to do. >=20 >=20 > I'm sure there are hundreds of other pages out there for Apache and > Nginx dealing with the subject. I've never really seen people really > enjoy the experience of doing client-side web authentication though.=20= >=20 > The new hotness is webauthn and a security dongle. > _______________________________________________ > freebsd-questions@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to = "freebsd-questions-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CBF63387-2A5C-4096-8B8D-71CC634A3EAD>