Automate generating CA certs, Server certs, and Client Certs for certificate based auth. These certs were used with Nginx client based authentication.
generate.sh will only create a CA cert used to sign a client cert used for cert based auth. The cert will last for 10 years.
If you need intermediate certs and server certs un-comment make_int and make_server which will then generate the server certs and intermediate certs.
./generate.sh
COUNTRY="US"
LOCATION="NY"
OU="dky.io"
EMAIL="[email protected]"
With your own variables.
You'll likely want to also modify the CN_NAME variable within the server_key_cert function.
- Run
./generate.shThis should generate both the CA cert + the Client cert. - Copy
ca.crtto the remote target. - Configure Nginx:
ssl_client_certificate /etc/nginx/ca.crt;
ssl_verify_client on;
- If you need a
.p12we have a helper scriptcreate_p12.sh.
validate.sh makes a curl call to the protected endpoint providing the client cert, key and the ca.crt. Use this to make sure certs are functional.
Validate the client.crt contains TLS client attribute
$ openssl x509 -in client.crt -noout -purpose | grep 'SSL client :'
SSL client : Yes