SSL client certificate

Igor Sysoev is at rambler-co.ru
Wed Mar 19 14:50:23 MSK 2008 

On Wed, Mar 19, 2008 at 12:24:34PM +0100, Omar Lopez Limonta wrote:

> I??m trying to use SSL client authentication, and always i??m getting
> 400 certificate error.
> 
> My nginx version is 0.5.26 running on Ubuntu
> 
> I have this config on my nginx:
> 
>     ssl                  on;
>     ssl_certificate      /etc/ssl/certificados/server.crt;
>     ssl_certificate_key  /etc/ssl/privado/server.key;
>     ssl_client_certificate /etc/ssl/CA/cacert.pem; #this is my CA main
> certificate
>     ssl_verify_client on;
>     ssl_verify_depth 2;
> 
> Also I create a PKCS12 certificate for my clients using my own CA
> 
> But i??m getting 400 error when i install my pkcs12 on the client browser.
> 
> Anyone has detailed information about config SSL client Authentication
> with nginx?
> Can anyone help me with this problem
> 
> How do you make your Certificates?
> 
> I??m doing this to make my own certificates:
> 
> ---To the Server Certificate---
> 
> openssl genrsa -des3 -out myssl.key 1024
> openssl req -new -key myssl.key -out myssl.csr
> openssl rsa -in myssl.key -out myssl.key
> openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt
> 
> ---To Client Certificate---
> 
> openssl req -new -nodes -out name-req.pem -keyout privado/name-key.pem
> -days 365 -config ./openssl.cnf
> openssl ca -out name-cert.pem -days 365 -config ./openssl.cnf -infiles
> name-req.pem
> openssl pkcs12 -export -in name-cert.pem -inkey privado/name-key.pem
> -certfile cacert.pem -name "USUARIOXXX" -out name-cert.p12

Here is part of Makefile how I created test client certificates:

CA=     CA
CERT=   cert

DIR=    work
TEMPL=  template

ca:
        openssl genrsa -out $(CA).key 1024

        openssl req -new -key $(CA).key -out $(CA).csr -config $(TEMPL)

        openssl x509 -req -days 1095                                    \
                -in $(CA).csr -out $(CA).crt -signkey $(CA).key

        #openssl x509 -in $(CA).crt -text


cert:
        openssl genrsa -out $(CERT).key 1024

        openssl req -new -key $(CERT).key -out $(CERT).csr -config $(TEMPL)

        openssl ca -config $(TEMPL) -in $(CERT).csr -cert $(CA).crt     \
                -keyfile $(CA).key -out $(CERT).crt

        #openssl x509 -in $(CERT).crt -text

p12:
        openssl pkcs12 -export -in $(CERT).crt -inkey $(CERT).key       \
                -certfile $(CA).crt -name "Some Name" -out $(CERT).p12



-- 
Igor Sysoev
http://sysoev.ru/en/

More information about the nginx mailing list