Recently I changed my nginx configuration to support Client Certificates to login in to services through the Web from outside my internal network. This will be broken down in to mutable parts so that it is easier to read.
- Creating Client Certificates
- Configuring haproxy to accept them
- Configuring haproxy to reverse proxy to your web applications
- Adding your Client Certificate to your browser
Creating Client Certificates
This is a tutorial on creating your self signed Client Certificate. Unlike self signed Certificates their is no ugly page saying that this is not signed by a secure Third Party which is good for us.
Create a Certificate Authority root
This command creates a Certificate Authority so we can sign the Client Certificate.
openssl genrsa -des3 -out ca.key 4096 openssl req -new -x509 -days 365 -key ca.key -out ca.crt
Organization & Common Name is the DNS name of the server. What I did is create a wild star so that I can use it for other projects later on down the road.
Create the Client Key and CSR
This Command creates the Client Certificate and signs it with the Certificate Authority that we created in the last section.
openssl genrsa -des3 -out client.key 4096 openssl req -new -key client.key -out client.csr openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
Organization & Common Name can be anything you want but I ususaly keep it as the username of the Person that will use it
Convert Client Key to PKCS
Most browsers accept PKCS#12 as the format for Client Keys. This command will convert the client cert in to PKCS#12 format.
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Convert Client Key to (combined) PEM
This command combinds
client.p12 certificate and
client.key private key into a single PEM file for programs using openssl.
openssl pkcs12 -in client.p12 -out client.pem -clcerts
Continue to Part2