Distributing Client SSL certificates is a very good way of authorizing users to access restricted web resources. Here are a few articles that will walk you through what is needed to accomplish this:
Client Certificates are now supported in HAProxy, and this article will explain how to do this:
This article from nginx will walk you through doing the same thing using nginx, and also how to generate self-signed client certificates:
And finally, the missing piece, this article will show how to export proper Client certificates:
And finally, if you experience issues with the first connection to a host with a valid certificate being handled correctly, but a reload of the same page resulting the redirect that should only be applied to users without a certificate, note that using the variable
ssl_c_used is the better choice over ssl_fc_has_crt (http://www.haproxy.org/download/1.5/doc/configuration.txt)In summary, do the following: # Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Server Key, CSR, and Certificate
openssl genrsa -des3 -out server.key 1024
openssl req -new -key server.key -out server.csr
# We're self signing our own server cert here. This is a no-no in production.
openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 1024
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Finally, convert the Client Key to PKCS so that it may be installed in most browsers:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
|
Security >