We will setup a client side certificate authentication in Nginx with Elliptic curve cryptography using ECDSA (curve secp384r1) for certificates and a self signed Certificate Authority (CA).
Create Server Key and Certificate Signing Request (CSR) in PEM format:
1 | $ openssl ecparam -out server_ecdsa.pem.key -name secp384r1 -genkey |
Create CA Key and Certificate (CRT) in PEM format:
1 | $ openssl ecparam -out ca_ecdsa.pem.key -name secp384r1 -genkey |
Sign server certificate with our own Certificate Authority (CA):
1 | $ openssl x509 -req -days 365 -sha512 -in server_ecdsa.pem.csr -CA ca_ecdsa.pem.crt -CAkey ca_ecdsa.pem.key -set_serial 01 -out server_ecdsa.pem.crt |
Create client Key and Certificate Signing Request (CSR):
1 | $ openssl ecparam -out client_ecdsa.pem.key -name secp384r1 -genkey |
Sign client certificate with our own Certificate Authority (CA):
1 | $ openssl x509 -req -days 365 -sha512 -in client_ecdsa.pem.csr -CA ca_ecdsa.pem.crt -CAkey ca_ecdsa.pem.key -set_serial 01 -out client_ecdsa.pem.crt |
Convert client Key and Certificate to PKCS:
1 | $ openssl pkcs12 -export -clcerts -in client_ecdsa.pem.crt -inkey client_ecdsa.pem.key -out client_ecdsa.p12 |
Of course clients can generate their own key, send the CSR to the CA, the CA signs it and sends certificates to clients. Then the client can generates the PKCS himself for his browser.
An example of Nginx config is:
1 | server { |
We can now import the client PKCS certificate (.p12
) into a browser and try to reach our website or try it with openssl
or curl
:
1 | $ openssl s_client -connect example.org:443 -key client_ecdsa.pem.key -cert client_ecdsa.pem.crt |