Client SSL Certs for Remote Systems Administration Part 1

Recently I changed my nginx configuration to support Client Certificates to login in to services through the Web from outside my internal network. This will be broken down in to mutable parts so that it is easier to read.

  • Creating Client Certificates
  • Configuring haproxy to accept them
  • Configuring haproxy to reverse proxy to your web applications
  • Adding your Client Certificate to your browser

Creating Client Certificates

This is a tutorial on creating your self signed Client Certificate. Unlike self signed Certificates their is no ugly page saying that this is not signed by a secure Third Party which is good for us.

Create a Certificate Authority root

This command creates a Certificate Authority so we can sign the Client Certificate.

openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Organization & Common Name is the DNS name of the server. What I did is create a wild star so that I can use it for other projects later on down the road.

Create the Client Key and CSR

This Command creates the Client Certificate and signs it with the Certificate Authority that we created in the last section.

openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt

Organization & Common Name can be anything you want but I ususaly keep it as the username of the Person that will use it

Convert Client Key to PKCS

Most browsers accept PKCS#12 as the format for Client Keys. This command will convert the client cert in to PKCS#12 format.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Convert Client Key to (combined) PEM

This command combinds client.p12 certificate and client.key private key into a single PEM file for programs using openssl.

openssl pkcs12 -in client.p12 -out client.pem -clcerts

Continue to Part2

Show Comments