Welcome! Log In Create A New Profile

Advanced

Client certificates and check for DN?

Posted by Anonymous User 
Anonymous User
Client certificates and check for DN?
February 28, 2018 02:50PM
Hi,

it seems most examples, even for apache, seem to assume that the client
certificates are issued by your own CA.
In this case, you just need to check if your certificates were issued by
this CA - and if they're not, it's game over.


However, I may have a case where the CA is a public CA and the client
certificates need to be verified down to the correct O and OU.

How do you do this with nginx?

Something along these lines:

https://www.tbs-certificates.co.uk/FAQ/en/183.html


Best Regards
Rainer
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Igor A. Ippolitov
Re: Client certificates and check for DN?
February 28, 2018 04:50PM
Hello.

I'm not sure about what do you really need, but it looks like you can
get almost the same result using a combination of map{} blocks and
conditionals.

Something like this:

map $ssl_client_s_dn $ou_matched {
    ~OU=whatever 1;
    default 0;
}
map $ssl_client_s_dn $cn_matched {
    ~CN=whatever 1;
    default 0;
}
map $ou_verified$cn_verified $unauthed {
    ~0 1
    default 0;
}
server {
    ....
    ssl_trusted_certificate path/to/public/certs;
    ssl_verify_client on;
    if ($unauthed) {return 403;}
}


On 28.02.2018 16:39, rainer@ultra-secure.de wrote:
> Hi,
>
> it seems most examples, even for apache, seem to assume that the
> client certificates are issued by your own CA.
> In this case, you just need to check if your certificates were issued
> by this CA - and if they're not, it's game over.
>
>
> However, I may have a case where the CA is a public CA and the client
> certificates need to be verified down to the correct O and OU.
>
> How do you do this with nginx?
>
> Something along these lines:
>
> https://www.tbs-certificates.co.uk/FAQ/en/183.html
>
>
> Best Regards
> Rainer
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Anonymous User
Re: Client certificates and check for DN?
February 28, 2018 05:10PM
Am 2018-02-28 16:41, schrieb Igor A. Ippolitov:
> Hello.
>
> I'm not sure about what do you really need, but it looks like you can
> get almost the same result using a combination of map{} blocks and
> conditionals.
>
> Something like this:
>
> map $ssl_client_s_dn $ou_matched {
>     ~OU=whatever 1;
>     default 0;
> }
> map $ssl_client_s_dn $cn_matched {
>     ~CN=whatever 1;
>     default 0;
> }
> map $ou_verified$cn_verified $unauthed {
>     ~0 1
>     default 0;
> }
> server {
>     ....
>     ssl_trusted_certificate path/to/public/certs;
>     ssl_verify_client on;
>     if ($unauthed) {return 403;}
> }


OK, thanks a lot.


I'll look into it.

Currently, the exact details are still a bit murky.
Customer was very vague...
I'll know more Friday next week.



Regards,
Rainer
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login