https://fardog.io/blog/2017/12/30/client-side-certificate-authentication-with-nginx/
Whatever method you use to generate the certificate and key files, the Common Name value used
for the server and client certificates/keys MUST each differ from the Common Name value used
for the CA certificate.
Otherwise, the certificate and key files will not work for servers compiled using OpenSSL.
sudo -i
cd /
mkdir CertificateAuthCA
chown $myuser:www-data /CertificateAuthCA
chmod 770 /CertificateAuthCA
cd /CertificateAuthCA
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
#Note what you’ve entered for Country, State, Locality, and Organization; you’ll want these to match later when you renew the certificate.
#Enter a common name (CN) for the certificate
#Email - add.
#Renewing a certificate just requires running the same command;
#to generate a new certificate. If you need to see what you
#entered in the old certificate, you can run:
openssl x509 -in ca.crt -noout -text
#####Creating a Client Certificate
#Note what you’ve entered for Country, State, Locality, and Organization; you’ll want these to match later when you renew the certificate.
#Enter a common name (CN) for the certificate
#Email - add.
sudo -i
cd /CertificateAuthCA
openssl genrsa -des3 -out user.key 4096
openssl req -new -key user.key -out user.csr
#Country Name (2 letter code) [AU]:CZ
#State or Province Name (full name) [Some-State]:CZ
#Locality Name (eg, city) []:PRG
#Organization Name (eg, company) [Internet Widgits Pty Ltd]:
#Organizational Unit Name (eg, section) []:
#Common Name (e.g. server FQDN or YOUR name) []:user1 !!!!! Unique
#Email Address []:
openssl x509 -req -days 3650 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt
#Check if ca.crt a user.crt works
sudo -i
cd /CertificateAuthCA
openssl verify -verbose -CAfile ca.crt user.crt
###Creating a PKCS #12 (PFX)
openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt
sudo cp /CertificateAuthCA/user.pfx /home/pi/
sudo chmod 755 /home/pi/user.pfx
sudo cp /CertificateAuthCA/ca.crt /home/pi/
sudo chmod 755 /home/pi/ca.crt
########## NGINX
sudo -i
mkdir /etc/nginx/certificates
chown -R www-data:www-data /etc/nginx/certificates
chmod 700 /etc/nginx/certificates
cd /etc/nginx/certificates
cp /CertificateAuthCA/ca.crt ca.crt
nano /etc/nginx/sites-enabled/reverse-proxy.conf
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name draytek.raiv.cc;
ssl_certificate /etc/letsencrypt/live/draytek.raiv.cc/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/draytek.raiv.cc/privkey.pe>
ssl_client_certificate /etc/nginx/certificates/ca.crt;
ssl_verify_client optional;
ssl_session_timeout 5m;
ssl_protocols TLSV1.1 TLSV1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
if ($ssl_client_verify != SUCCESS) {
return 403;
}
proxy_pass http://192.168.100.253:2380/;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_verify off;
}
}
sudo service nginx restart