caok · July 11, 2013 02:40
diff --git a/Client Side Certificate Auth in Nginx b/Client Side Certificate Auth in Nginx
 Creating and Signing Your Certs
 This is SSL, so you'll need an cert-key pair for you/the server, the api users/the client and a CA pair. You will be the CA in this case (usually a role played by VeriSign, thawte, GoDaddy, etc.), signing your client's certs. There are plenty of tutorials out there on creating and signing certificates, so I'll leave the details on this to someone else and just quickly show a sample here to give a complete tutorial. NOTE: This is just a quick sample of creating certs and not intended for production.

 # Create the CA Key and Certificate for signing Client Certs
 openssl genrsa -des3 -out ca.key 4096
 openssl req -new -x509 -days 365 -key ca.key -out ca.crt

 # Create the Server Key, CSR, and Certificate
 openssl genrsa -des3 -out server.key 1024
 openssl req -new -key server.key -out server.csr

 # We're self signing our own server cert here.  This is a no-no in production.
 openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

 # Create the Client Key and CSR
 openssl genrsa -des3 -out client.key 1024
 openssl req -new -key client.key -out client.csr

 # Sign the client certificate with our CA cert.  Unlike signing our own server cert, this is what we want to do.
 openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
 Configuring nginx
 server {
    listen        443;
    ssl on;
    server_name example.com;

    ssl_certificate      /etc/nginx/certs/server.crt;
    ssl_certificate_key  /etc/nginx/certs/server.key;
    ssl_client_certificate /etc/nginx/certs/ca.crt;
    ssl_verify_client optional;

    location / {
        root           /var/www/example.com/html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_param  SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
        fastcgi_param  VERIFIED $ssl_client_verify;
        fastcgi_param  DN $ssl_client_s_dn;
        include        fastcgi_params;
    }
 }
	Creating and Signing Your Certs
	This is SSL, so you'll need an cert-key pair for you/the server, the api users/the client and a CA pair. You will be the CA in this case (usually a role played by VeriSign, thawte, GoDaddy, etc.), signing your client's certs. There are plenty of tutorials out there on creating and signing certificates, so I'll leave the details on this to someone else and just quickly show a sample here to give a complete tutorial. NOTE: This is just a quick sample of creating certs and not intended for production.

	# Create the CA Key and Certificate for signing Client Certs
	openssl genrsa -des3 -out ca.key 4096
	openssl req -new -x509 -days 365 -key ca.key -out ca.crt

	# Create the Server Key, CSR, and Certificate
	openssl genrsa -des3 -out server.key 1024
	openssl req -new -key server.key -out server.csr

	# We're self signing our own server cert here. This is a no-no in production.
	openssl x509 -req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt

	# Create the Client Key and CSR
	openssl genrsa -des3 -out client.key 1024
	openssl req -new -key client.key -out client.csr

	# Sign the client certificate with our CA cert. Unlike signing our own server cert, this is what we want to do.
	openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
	Configuring nginx
	server {
	listen 443;
	ssl on;
	server_name example.com;

	ssl_certificate /etc/nginx/certs/server.crt;
	ssl_certificate_key /etc/nginx/certs/server.key;
	ssl_client_certificate /etc/nginx/certs/ca.crt;
	ssl_verify_client optional;

	location / {
	root /var/www/example.com/html;
	fastcgi_pass 127.0.0.1:9000;
	fastcgi_param SCRIPT_FILENAME /var/www/example.com/lib/Request.class.php;
	fastcgi_param VERIFIED $ssl_client_verify;
	fastcgi_param DN $ssl_client_s_dn;
	include fastcgi_params;
	}
	}