Client certificates can come in very handy when you wish to expose internal applications that you wish to make publicly accessible to specific entities.
Fortunately most reverse proxies such as IIS, httpd, nginx and haproxy provide this functionality - although for this tutorial I will concentrate on nginx since the configuration is pretty straight forward and I (personally) tend to have less cross-platform problems when working with it.
* For this tutorial I am already assuming that you have your own server certificate (referred to as server.crt)
So lets firstly create our CA that we will use to issue our client certificates:
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
and then generate our client private key and CSR:
openssl req -out client.csr -new -newkey rsa:2048 -nodes -keyout client.key
and then self-sign our new certificate with:
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Now we want to import the key pair into our iPhone / iPad - this can be performed by the Apple Configuration Utility or much more easily by simply sending an email to the device with the key pair attached.
However we must firstly create a .pfx package with both the private and public key in it - to do this we should issue:
openssl pkcs12 -inkey client.key -in client.crt -export -out client.pfx
and setup our nginx configuration:
server {
listen 443;
ssl on;
server_name clientssl.example.com;
ssl_certificate /etc/nginx/certs/server.crt;
ssl_certificate_key /etc/nginx/certs/server.key;
ssl_client_certificate /etc/nginx/certs/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://1.2.3.4:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
test the configuration with:
nginx -t
and if correct reload the server with:
sudo service nginx reload
0 comments:
Post a Comment