TiwikiPlutôt qu’un simple user/password, il est possible de mettre en place une authentification par certificat SSL:
Création du répertoire contenant les fichiers :
mkdir /etc/ssl/ca && cd /etc/ssl/ca
Génération du certificat racine
Tout d’abord, il faut créer un certificat racine (un CA) qui servira à signer notre certificat client. Un mot de passe sera demandé pour chiffrer la clé.
Génération de la clé privée pour le CA
openssl genrsa -des3 -out ca.key 4096
--
Generating RSA private key, 4096 bit long modulus
.....++++
..................................................
..................................................
...........................................................++++
e is 65537 (0x010001)
Enter pass phrase for ca.key:
Verifying - Enter pass phrase for ca.key:
Génération du CA avec la clé
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
--
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ticloud.fr
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Ticloud root certificate
Email Address []:
Génération du certificat client
Génération de la clé privée
openssl genrsa -des3 -out client.key 2048
--
Generating RSA private key, 2048 bit long modulus
.......+++++
.............+++++
e is 65537 (0x010001)
Enter pass phrase for client.key:
Verifying - Enter pass phrase for client.key:
Génération du certificat client
openssl req -new -key client.key -out client.csr
--
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:FR
State or Province Name (full name) [Some-State]:France
Locality Name (eg, city) []:Paris
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ticloud.fr
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:client certificate
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Signature du certificat client avec le CA
openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
--
Signature ok
subject=C = FR, ST = France, L = Paris, O = ticloud.fr, CN = client certificate
Getting CA Private Key
Enter pass phrase for ca.key:
Export du certificat pour le poste client
openssl pkcs12 -export -out client.p12 -in client.crt -inkey client.key
--
Enter pass phrase for client.key:
Enter Export Password:
Verifying - Enter Export Password:
Le fichier client.p12 contient le certificat client qui devra être importer sur le poste client. Pour Safari, Chrome, Internet Explorer, il faut importer le certificat dans le système directement. Pour Firefox, il est nécessaire d’importer le certificat via les options de ce dernier.
Modification de la configuration NGINX
Dans le vhost, dans la section “server”, rajouter les lignes suivantes :
ssl_client_certificate /etc/ssl/ca/ca.crt;
ssl_verify_client optional;
location / {
# if the client-side certificate failed to authenticate, show a 403
# message to the client
if ($ssl_client_verify != SUCCESS) {
return 403;
}
}
Relancer NGINX pour prise en compte.