Re: Client Certificate Verification
- In reply to: Doug Hardie : "Client Certificate Verification"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sun, 17 Dec 2023 20:53:20 UTC
Hi [2023-12-16 21:48] Doug Hardie <bc979@lafn.org> > I have an application to which clients connect using a browser over SSL. I have a LetsEncrypt certificate for the app that lets the > client authenticate the app. However, I need to have a multitude of client certificates (one per client machine). I am generating > these certificates from a self-signed root certificate. I can get the client to verify the app and provide the client certificate > to it. The app is unable to verify the client certificate. I have not been able to figure out how to have openssl distribute oner > certificate (from LetsEncrytp), but verify the received client certificate using different certificate chain. Openssl will pass me > some of the received certificate fields. However, without certificate verification I cannot be sure that those values came from a > certificate I generated. Is there a way to do this either with openssl or libtls? Most webserver have a way to set the CA for client auth. I.e. in nginx you can set ssl_client_certificate[0]. Other webserver have similar options. TLS and TLS client auth are quite complex. Using a more tested implementation is better then implemnting it yourself. satanist [0] https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate