Nginx – Client authentication using self signed ssl certificate for nginx

authenticationhttpsnginxssl

I am hosting a nginx webserver in my LAN and I want to authenticate client who are accessing my server with ssl client certificate.I generated a self signed SSL certificate and one client certificate following some documents on google. But I am unable to authenticate client who has certificate. I am getting the following errors

When requested from Firefox:

2017/08/10 18:30:13 [info] 8994#0: *4 client sent no required SSL certificate while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls1/master.m3u8 HTTP/1.1", host: "192.168.26.43"

When request using curl:
curl -v -s -k –key client.key –cert client.crt –cacert ca.crt https://192.168.26.43/hls2/master.m3u8

2017/08/10 18:30:33 [info] 8994#0: *5 client SSL certificate verify error: (18:self signed certificate) while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls2/master.m3u8 HTTP/1.1", host: "192.168.26.43"

So,my question is can I use self-signed certificate to authenticate client?If so, can anyone provide the steps to achieve this?

Best Answer

I just stumbled over this and discovered a small pitfall which caused the same error you encountered:

error 18 at 0 depth lookup: self signed certificate

There are plenty of guides how to create a self signed client certificate, I used the following (adapted from here):

# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr

# Sign the client certificate with our CA cert
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

# Convert to .p12 so import in OSX works
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "MyKey"

However, if you use the same Organization Name (eg, company) for both your ca and your client certificate, you will see above error! (edited: important)

If openssl verify -verbose -CAfile ca.crt client.crt does not complain about a self-signed certificate, you're good to go.

Related Solutions

Tomcat Server/Client Self-Signed SSL Certificate

Finally got the solution to my problem, so I'll post the results here if anyone else gets stuck.

Thanks to Michael Martin of Michael's Software Thoughts & Ramblings I discovered that:

keytool by default uses the DSA algorithm when generating the self-signed cert. Earlier versions of Firefox accepted these keys without problem. With Firefox 3 beta 5, using DSA doesn't work, but using RSA does. Passing "-keyalg RSA" when generating the self-signed certificate creates a cert the Firefox 3 beta 5 fully accepts.

I simply set that flag, cleared all caches in FireFox and it worked like a charm! I am using this as a test-setup for my project and I need to share this with other people, so I wrote a little batch script that creates two SSL certificates. One can be dropped into the Tomcat setup and the other is a .p12 file that can be imported into FireFox/IE. Thanks!

Usage: first command-line argument is the username of the client. All passwords are "password" (with no quotations). Change any of the hard-coded bits to meet your needs.

@echo off
if "%1" == "" goto usage

keytool -genkeypair -alias servercert -keyalg RSA -dname "CN=Web Server,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -keystore server.jks -storepass password
keytool -genkeypair -alias %1 -keystore %1.p12 -storetype pkcs12 -keyalg RSA -dname "CN=%1,OU=Unit,O=Organization,L=City,S=State,C=US" -keypass password -storepass password
keytool -exportcert -alias %1 -file %1.cer -keystore %1.p12 -storetype pkcs12 -storepass password
keytool -importcert -keystore server.jks -alias %1 -file %1.cer -v -trustcacerts -noprompt -storepass password
keytool -list -v -keystore server.jks -storepass password
del %1.cer
goto end

:usage
echo Need user id as first argument: generate_keystore [username]
goto end

:end
pause

The results are two files. One called server.jks that you drop into Tomcat and another file called {username}.p12 that you import into your browser. The server.jks file has the client certificate added as a trusted cert.

I hope someone else finds this useful.

And here is the the XML that needs to be added to your Tomcat conf/sever.xml file (only tested on on Tomcat 6.x)

<Connector
   clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75"
   enableLookups="true" disableUploadTimeout="true"
   acceptCount="100" maxThreads="200"
   scheme="https" secure="true" SSLEnabled="true"
   keystoreFile="${catalina.home}/conf/server.jks"
   keystoreType="JKS" keystorePass="password"
   truststoreFile="${catalina.home}/conf/server.jks"
   truststoreType="JKS" truststorePass="password"
   SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" sslProtocol="TLS"
/>

For Tomcat 7:

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
           port="8443" SSLEnabled="true"
           maxThreads="200" scheme="https" secure="true"
           keystoreFile="${catalina.base}/conf/server.jks" keystorePass="password"
           clientAuth="false" sslProtocol="TLS" />

Java – Accept server’s self-signed ssl certificate in Java client

You have basically two options here: add the self-signed certificate to your JVM truststore or configure your client to

Option 1

Export the certificate from your browser and import it in your JVM truststore (to establish a chain of trust):

<JAVA_HOME>\bin\keytool -import -v -trustcacerts
-alias server-alias -file server.cer
-keystore cacerts.jks -keypass changeit
-storepass changeit

Option 2

Disable Certificate Validation:

// Create a trust manager that does not validate certificate chains
TrustManager[] trustAllCerts = new TrustManager[] { 
    new X509TrustManager() {     
        public java.security.cert.X509Certificate[] getAcceptedIssuers() { 
            return new X509Certificate[0];
        } 
        public void checkClientTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
            } 
        public void checkServerTrusted( 
            java.security.cert.X509Certificate[] certs, String authType) {
        }
    } 
}; 

// Install the all-trusting trust manager
try {
    SSLContext sc = SSLContext.getInstance("SSL"); 
    sc.init(null, trustAllCerts, new java.security.SecureRandom()); 
    HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory());
} catch (GeneralSecurityException e) {
} 
// Now you can access an https URL without having the certificate in the truststore
try { 
    URL url = new URL("https://hostname/index.html"); 
} catch (MalformedURLException e) {
}

Note that I do not recommend the Option #2 at all. Disabling the trust manager defeats some parts of SSL and makes you vulnerable to man in the middle attacks. Prefer Option #1 or, even better, have the server use a "real" certificate signed by a well known CA.