How to setup 2way ssl authentication (mutual authentication) with Nginx

boobo94

Bogdan Alexandru Militaru

Posted on June 17, 2021

How to setup 2way ssl authentication (mutual authentication) with Nginx

Pre-Requisites

Make sure that you have openssl

openssl version -a

Enter fullscreen mode Exit fullscreen mode

To setup 2-way ssl (mutual authentication) you need:

  • Certificate Authority (CA)
  • Server 1 Certificate
  • Server 2 Certificate

Certificate Authority (CA)

What is certificate authority?

In cryptography, a certificate authority or certification authority (CA) is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others (relying parties) to rely upon signatures or on assertions made about the private key that corresponds to the certified public key.

Having this mentioned, we need an authority which validates our certificates. Here are two options, to grant yourself the authority and self-sign certificates or use a trusted authority. In the following lines I’ll describe the process of signing the certificate

Using self-signed certificates

Now we should generate a new Certificate Authority self signed, run the following:

$ openssl req -new -x509 -days 9999 -keyout ca-key.pem -out ca-crt.pem

Enter fullscreen mode Exit fullscreen mode

Note!! You can remove -days 9999 to make the certificate to don’t expire.

Then the terminal prompts the following:

Generating a 2048 bit RSA private key
................................................+++
....................................................+++
writing new private key to 'ca-key.pem'
Enter PEM pass phrase: YOUR_CA_PASSWORD
Verifying - Enter PEM pass phrase: YOUR_CA_PASSWORD
----------
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) [XX]:RO
State or Province Name (full name) []:Romania
Locality Name (eg, city) [Default City]:Bucharest
Organization Name (eg, company) [Default Company Ltd]:Cmevo Digital SRL
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:cmevo.com
Email Address []:contact@cmevo.com

Enter fullscreen mode Exit fullscreen mode

Now you can check the files generated

$ ls -l

ca-crt.pem
ca-key.pem

Enter fullscreen mode Exit fullscreen mode

Using trusted signed certificates

To use a trusted signed certificate, simply search on internet, if you prefer privacy I recommend Duckduckgo & Firefox.

Doesn’t matter which provider you choose, to get the public certificate you need to provide a private key, generated on your server.

Server 1 Certificate

Generate the key for server

$ openssl genrsa -out server1-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................++
...........................................................++
e is 65537 (0x10001)

Enter fullscreen mode Exit fullscreen mode

Generate a Server Certificate Signing Request

$ openssl req -new -key server1-key.pem -out server1-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) [XX]:RO
State or Province Name (full name) []:Bucharest
Locality Name (eg, city) [Default City]:^C
[ec2-user@api custom_cert]$ openssl req -new -key server1-key.pem -out server1-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) [XX]:RO
State or Province Name (full name) []:Romania
Locality Name (eg, city) [Default City]:Bucharest
Organization Name (eg, company) [Default Company Ltd]:Cmevo Digital SRL
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:server1-api.cmevo.com
Email Address []:contact@cmevo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SERVER1_PASSWORD
An optional company name []:

Enter fullscreen mode Exit fullscreen mode

Now let’s sign the certificate with previously generated CA certificate

$ openssl x509 -req -days 9999 -in server1-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out server1-crt.pem
Signature ok
subject=/C=RO/ST=Romania/L=Bucharest/O=Cmevo Digital SRL/OU=devops/CN=server1-api.cmevo.com/emailAddress=contact@cmevo.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:YOUR_CA_PASSWORD

Enter fullscreen mode Exit fullscreen mode

Look at our files:

$ ls
ca-crt.pem ca-crt.srl ca-key.pem server1-crt.pem server1-csr.pem server1-key.pem

Enter fullscreen mode Exit fullscreen mode

Oookk guys, let’s check our certificate

$ openssl verify -CAfile ca-crt.pem server1-crt.pem
server1-crt.pem: OK

Enter fullscreen mode Exit fullscreen mode

Server 2 Certificate

We do the same thing on the second server.

$ openssl genrsa -out server2-key.pem 4096
Generating RSA private key, 4096 bit long modulus
.......................................................................................++
..............................................++
e is 65537 (0x10001)

Enter fullscreen mode Exit fullscreen mode

Generate a Client Certificate Signing Request

$ openssl req -new -key server2-key.pem -out server2-csr.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
----------
Country Name (2 letter code) [XX]:RO
State or Province Name (full name) []:Romania
Locality Name (eg, city) [Default City]:Bucharest
Organization Name (eg, company) [Default Company Ltd]:Cmevo Digital SRL
Organizational Unit Name (eg, section) []:devops
Common Name (eg, your name or your server's hostname) []:server2-api.cmevo.com
Email Address []:contact@cmevo.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:SERVER2_PASSWORD
An optional company name []:

Enter fullscreen mode Exit fullscreen mode

Sign the certificate with previously generated CA certificate

$ openssl x509 -req -days 9999 -in server2-csr.pem -CA ca-crt.pem -CAkey ca-key.pem -CAcreateserial -out server2-crt.pem
Signature ok
subject=/C=RO/ST=Romania/L=Bucharest/O=Cmevo Digital SRL/OU=devops/CN=server2-api.cmevo.com/emailAddress=contact@cmevo.com
Getting CA Private Key
Enter pass phrase for ca-key.pem:YOUR_CA_PASSWORD

Enter fullscreen mode Exit fullscreen mode

Check our certificate

$ openssl verify -CAfile ca-crt.pem server2-crt.pem
server2-crt.pem: OK

Enter fullscreen mode Exit fullscreen mode

Nginx configuration

Oh, we’re almost there boys. Let’s configure finally the nginx.

We need to create the certificate bundle. But if you buy one, you’ll receive this file.

cat server1-crt.pem ca-crt.pem server1-key.pem > ssl-bundle.pem

Enter fullscreen mode Exit fullscreen mode

Except that we need to create another file client.certs.pem. So this file will contains all the clients which connects secure to our serve.

cat server2-crt.pem ca-crt.pem > client.certs.pem

Enter fullscreen mode Exit fullscreen mode

Note, if your CA is not self-signed is not required to append the ca-crt.pem file, you only need to append the certificate file.

In this example we have only two servers, but if you have for example another server “Server 3”, you can replicate the above process and append server3-crt.pem to this client.certs.pem file.

The nginx conf example:


server {
    server_name server1-api.cmevo.com;
    listen 443 ssl;

    ssl_certificate /etc/ssl/private-api/ssl-bundle.pem;
    ssl_certificate_key /etc/ssl/private-api/server1-key.pem;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;

    ssl_verify_client on;
    ssl_client_certificate /etc/ssl/private-api/client.certs.pem;
    ssl_verify_depth 2;

    client_max_body_size 100M;

    location / {
        proxy_pass http://127.0.0.1:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $remote_addr;
    }
}

Enter fullscreen mode Exit fullscreen mode

How works mutual authentication?

Let’s make an example request from server 2 to server 1

curl --location --request POST 'https://server1-api.cmevo.com' \
--header 'Content-Type: application/json' \
--cert server2-crt.pem --key server2-key.pem

Enter fullscreen mode Exit fullscreen mode

For an extra layer of security, you can add as well a payload encryption, check Asymmetric encryption (Public-key cryptography) with Node.js

I have two resources that I used for myself at some point and I want to share with you

  1. How to generate keys for Mutual TLS Authentication
  2. Client and server SSL mutual authentication with NodeJs
💖 💪 🙅 🚩
boobo94
Bogdan Alexandru Militaru

Posted on June 17, 2021

Join Our Newsletter. No Spam, Only the good stuff.

Sign up to receive the latest update from our blog.

Related