[LRUG] SSL client certificates

Tim Diggins tim at red56.uk
Wed Jun 17 06:52:30 PDT 2020


Hi Andrew

Just read your SO post and I feel your pain.  I just spent hours trying to
get a CA chain (purely in a server cert) to work by concatenating various
intermediate certs into a pem and it was a vale of tears (in the end found
a mechanism to download the correctly concatenated CA chain from my cert
provider, so while I learned a lot about openssl, I did reach the edge of
my understanding which turned out to be not that far). It's also a
nightmare when you don't have usable access credentials your users do
(whether certs or active directory config or whatever).

You may have considered this already, but it might be worth checking
whether you can set this up correctly by creating a self-signed Certificate
Authority, creating some certs with it, and then setting up a staging nginx
server with a parallel config to your live one and see if it works
correctly. Seems like this might not take that long to do and might give
you some insight as to which of your assumptions are correct.

all best

Tim

On Wed, 17 Jun 2020 at 14:23, Andrew Stewart <boss at airbladesoftware.com>
wrote:

> Hello LRUG!
>
> Are you (a) handy with SSL and (b) bored?
>
> I'm trying to get Nginx to validate client SSL certificates signed by
> MIT's certificate authority:
>
>         https://stackoverflow.com/q/62259720/151007
>
> But I'm stuck.  Any help would be much appreciated.
>
> Many thanks!
>
> Andrew Stewart
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.lrug.org/pipermail/chat-lrug.org/attachments/20200617/e0eb8856/attachment.html>


More information about the Chat mailing list