SSL client certificate

Hi ,
I´m trying to use SSL client authentication, and always i´m getting
400 certificate error.

My nginx version is 0.5.26 running on Ubuntu

I have this config on my nginx:

ssl                  on;
ssl_certificate      /etc/ssl/certificados/server.crt;
ssl_certificate_key  /etc/ssl/privado/server.key;
ssl_client_certificate /etc/ssl/CA/cacert.pem; #this is my CA main

certificate
ssl_verify_client on;
ssl_verify_depth 2;

Also I create a PKCS12 certificate for my clients using my own CA

But i´m getting 400 error when i install my pkcs12 on the client
browser.

Anyone has detailed information about config SSL client Authentication
with nginx?
Can anyone help me with this problem

How do you make your Certificates?

I´m doing this to make my own certificates:

—To the Server Certificate—

openssl genrsa -des3 -out myssl.key 1024
openssl req -new -key myssl.key -out myssl.csr
openssl rsa -in myssl.key -out myssl.key
openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out
myssl.crt

—To Client Certificate—

openssl req -new -nodes -out name-req.pem -keyout privado/name-key.pem
-days 365 -config ./openssl.cnf
openssl ca -out name-cert.pem -days 365 -config ./openssl.cnf -infiles
name-req.pem
openssl pkcs12 -export -in name-cert.pem -inkey privado/name-key.pem
-certfile cacert.pem -name “USUARIOXXX” -out name-cert.p12

Thanks to all :smiley:


Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\///
///\\ The Duke of Url.
{ O–O }
/ /\
\ – /
[||]

On Wed, Mar 19, 2008 at 12:24:34PM +0100, Omar Lopez Limonta wrote:

ssl_client_certificate /etc/ssl/CA/cacert.pem; #this is my CA main

Can anyone help me with this problem
openssl x509 -req -days 365 -in myssl.csr -signkey myssl.key -out myssl.crt

—To Client Certificate—

openssl req -new -nodes -out name-req.pem -keyout privado/name-key.pem
-days 365 -config ./openssl.cnf
openssl ca -out name-cert.pem -days 365 -config ./openssl.cnf -infiles
name-req.pem
openssl pkcs12 -export -in name-cert.pem -inkey privado/name-key.pem
-certfile cacert.pem -name “USUARIOXXX” -out name-cert.p12

Here is part of Makefile how I created test client certificates:

CA= CA
CERT= cert

DIR= work
TEMPL= template

ca:
openssl genrsa -out $(CA).key 1024

    openssl req -new -key $(CA).key -out $(CA).csr -config $(TEMPL)

    openssl x509 -req -days 1095 


-in $(CA).csr -out $(CA).crt -signkey $(CA).key

    #openssl x509 -in $(CA).crt -text

cert:
openssl genrsa -out $(CERT).key 1024

    openssl req -new -key $(CERT).key -out $(CERT).csr -config 

$(TEMPL)

    openssl ca -config $(TEMPL) -in $(CERT).csr -cert $(CA).crt 


-keyfile $(CA).key -out $(CERT).crt

    #openssl x509 -in $(CERT).crt -text

p12:
openssl pkcs12 -export -in $(CERT).crt -inkey $(CERT).key

-certfile $(CA).crt -name “Some Name” -out $(CERT).p12

Thanks for your help Igor, you can put your ssl lines on nginx config?
With your Makefile you don´t generate a .pem file , why i need put on
ssl_client_certificate ?


Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////
\///
///\\ The Duke of Url.
{ O–O }
/ /\
\ – /
[||]

On Wed, Mar 19, 2008 at 02:23:06PM +0100, Omar Lopez Limonta wrote:

Thanks for your help Igor, you can put your ssl lines on nginx config?
With your Makefile you don??t generate a .pem file , why i need put on
ssl_client_certificate ?

ssl_client_certificate CA.crt;

cert.p12 is to import into client browser.

It doesn´t work yet, it until returns 400 bad certificate error.
I have two vhost with diferent SSL certificates , in the frist host i
have only https without client authentication, and in the second i
have the config with client autentication, i will be a proxy pass to
IIS it could be a problem?
i need code in the server side something to request the client
cerficate?

Thanks again.


Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////

\///
///\\ The Duke of Url.
{ O–O }
/ /\
\ – /
[||]

Thanks for all Igor now with diferent IP Addresses it works :smiley:


Xgalaga se disfruta más sobre NetBSD sparc64

Content Rules:

/////

\///
///\\ The Duke of Url.
{ O–O }
/ /\
\ – /
[||]

On Wed, Mar 19, 2008 at 03:48:01PM +0100, Omar Lopez Limonta wrote:

It doesn??t work yet, it until returns 400 bad certificate error.
I have two vhost with diferent SSL certificates , in the frist host i
have only https without client authentication, and in the second i
have the config with client autentication, i will be a proxy pass to
IIS it could be a problem?
i need code in the server side something to request the client cerficate?

Do you use named-based virtual hosts ?
Then nginx uses certificate configuraiton from the first host and do not
ask client certificate on SSL-handshake phase.

You need to bind hosts to the different IP-addresses:

 server {
     listen           192.168.1.1:443;
     server_name      one.example.com;
     ssl_certificate  one.example.com.cert;
     ...
 }

 server {
     listen           192.168.1.2:443;
     server_name      two.example.com;
     ssl_certificate  two.example.com.cert;

     ssl_client_certificate  CA.cert;
     ...
 }

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs