A trivial dummy CA and client certificate authentication proxy demo
Generate a dummy CA, client key+cert and server key+cert from scratch: clone this repo and run ./go.sh
Import the dummy client certificate client/dummy-client.p12
to your browser. The password is secret
. Don't tell anyone.
Eg. in Chrome: Settings > Advanced > HTTPS/SSL > Manage certificates > Import.
Create an nginx configuration package, nginx.tar: ./go.sh package
Copy the package to your server, install prerequisites, and deploy the config:
sudo apt-get update && sudo apt-get -y install openssl nginx
sudo tar oxvf nginx.tar -C /etc
sudo chmod 0600 /etc/nginx/ssl/dummy-server.key
sudo ln -s /etc/nginx/sites-available/nginx-client-auth.conf /etc/nginx/sites-enabled/
sudo nginx -t && sudo service nginx restart
The provided configuration sets up a reverse proxy to http://scooterlabs.com/echo
Fetch https://your.host/echo and inspect the result. If there was much success, the result should contain something like this:
[headers] => Array
(
[X-Client-Cert-Verify] => SUCCESS
[X-Client-Cert-Subject-DN] => /C=FI/ST=Helsinki/L=Dummy/O=Dummy/OU=IT/CN=Dummy Client
[X-Client-Cert-Issuer-DN] => /C=FI/ST=Helsinki/L=Dummy/O=Dummy/OU=IT/CN=Dummy CA
CRL
This stuff is inspired by and mostly based on an article by Nate Good.
We're using Brian Cantoni's Echo Service to check our headers.
Much appreciated. Thanks!
- On running your own Certificate Authority: https://jamielinux.com/blog/category/CA/