[LRUG] SSL client certificates

Paul Mucur mudge at mudge.name
Wed Jun 17 10:08:12 PDT 2020 

In case it comes in handy: I’ve found https://whatsmychaincert.com useful for generating the full certificate chain from a single cert.

Kind regards,

— Paul

> On 17 Jun 2020, at 16:11, Jerry Steele <ticktockhouse at gmail.com> wrote:
> 
> Hi Andrew,
> 
> I posted an answer to your question on SO:
> 
> https://stackoverflow.com/questions/62259720/how-to-get-nginx-to-verify-mit-personal-certificates/62432295#62432295
> 
> Thanks
> 
> Jerry
> 
> 
> On Wed, 17 Jun 2020 at 15:17, Tim Diggins <tim at red56.uk> wrote:
> Hi Andrew 
> 
> Just read your SO post and I feel your pain.  I just spent hours trying to get a CA chain (purely in a server cert) to work by concatenating various intermediate certs into a pem and it was a vale of tears (in the end found a mechanism to download the correctly concatenated CA chain from my cert provider, so while I learned a lot about openssl, I did reach the edge of my understanding which turned out to be not that far). It's also a nightmare when you don't have usable access credentials your users do (whether certs or active directory config or whatever).
> 
> You may have considered this already, but it might be worth checking whether you can set this up correctly by creating a self-signed Certificate Authority, creating some certs with it, and then setting up a staging nginx server with a parallel config to your live one and see if it works correctly. Seems like this might not take that long to do and might give you some insight as to which of your assumptions are correct.
> 
> all best
> 
> Tim
> 
> On Wed, 17 Jun 2020 at 14:23, Andrew Stewart <boss at airbladesoftware.com> wrote:
> Hello LRUG!
> 
> Are you (a) handy with SSL and (b) bored?
> 
> I'm trying to get Nginx to validate client SSL certificates signed by MIT's certificate authority:
> 
>         https://stackoverflow.com/q/62259720/151007
> 
> But I'm stuck.  Any help would be much appreciated.
> 
> Many thanks!
> 
> Andrew Stewart
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org
> 
> 
> -- 
> ---
> 
> Jerry Steele
> Telephone: +44 (0)7492 910225
> GPG: 43A3A8C6
> 
> _______________________________________________
> Chat mailing list
> Chat at lists.lrug.org
> Archives: http://lists.lrug.org/pipermail/chat-lrug.org
> Manage your subscription: http://lists.lrug.org/options.cgi/chat-lrug.org
> List info: http://lists.lrug.org/listinfo.cgi/chat-lrug.org

More information about the Chat mailing list