Client PKI Authentication

torrybr · September 20, 2021, 2:19am

I am trying to authenticate user’s PKI by a CA that signed the client certificate. I am able to get the certificate picker in the browser to show the relevant certs and works correctly. But When I select a cert In the browser I get the following error.

I am follwing the staticMTLS guide here Client mTLS

{
    "error": "Certificate with SHA256 d6da30c260618b4ccabd391ed6518f444628fe0835097eade3ef54947f1745fb not allowed"
}

In NGINX my .conf would look like this to accomplish PKI Authentication.

server {
    listen 443 ssl;
    server_name example.com;

    ssl_protocols TLSv1.1 TLSv1.2;
    # letsencrypt certificate
    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    # client certificate
    ssl_client_certificate /etc/nginx/client_certs/ca.crt;
    ssl_verify_client optional;

   location / {
   }

Very Similar to this Accept mutualTLS for clients with cert signed by specific CA - #3 by Niels_Bouten

Any help would be greatly appreciated thank you!

Olu · September 23, 2021, 9:45am

Welcome to community. We appreciate taking the time to search and link a related issue. We hope to get you an update on this soon.

torrybr · September 24, 2021, 1:22am

Thank you! I appreciate the quick response.