Questions tagged [client-certificate]
A certificate which authenticates a client or user towards a server or service.
43
questions
7
votes
1
answer
7k
views
How does one forward a client authentication certificate through HA proxy while terminating TLS?
I have a web API fronted by an HA Proxy load balancer. The web API uses client authentication certificates for identity authentication and authorization. I'd like the HA Proxy appliance to terminate ...
6
votes
1
answer
4k
views
AWS API Gateway Lambda Authorizers + Client certificates
I'm evaluating the use of client certificatates to improve security in an application i'm working on. It all run behind on AWS and pass through an API Gateway with an attached Lambda authorizer.
AWS ...
5
votes
1
answer
3k
views
Debugging client certificate issues on IIS
We have an 2008R2 IIS server set up with a site configured to require client certificates. Our test client isn't working, and we're trying to debug why.
During the course of this, we've set up a new ...
4
votes
2
answers
1k
views
Is it possible to get a browser to present a client side certificate even if the client cert isn't signed by the same CA as the server cert?
I'm in a strange scenario where I have a server with NodeJS backend and ReactJS frontend that does record keeping where the customer wants to use user certificates to ID who visits this internal site. ...
2
votes
1
answer
8k
views
Add Client Certificate when acting as a reverse proxy
I basically have the exact same problem as Add Client certificate when acting as reverse proxy (Apache/NGINX) , but in my case there is no nginx that can help me out.
I want a certain location inside ...
2
votes
1
answer
295
views
Postfix client cert info not being passed to opendkim milter
I have a private postfix server that uses dovecot sasl to optionally authenticate submission clients, and I'm trying to set it up to also accept client certificates to allow it to act as a relay host ...
2
votes
1
answer
760
views
Nginx: Change value of `ssl_verify_client` based on request IP
When setting up nginx with client-certificate config, ssl_verify_client should be set to on or optional. If we want to bypass verification for local users (like 192.168.0.0/24), we can use optional ...
2
votes
1
answer
196
views
Configure postfix to enforce client certificate authentication for one domain
I have a postfix server which processes mails for several domains. The server is using TLS encryption if the client requests ist, but does currently not enforce it for compatibility reasons.
Now there'...
2
votes
1
answer
3k
views
HTTP authentication with public/private key pair
I'm looking for a way to authenticate clients/users at a web server with public/private key pairs and already read this question:
Public key authentication or similar over HTTP/HTTPS? The answers are ...
2
votes
1
answer
2k
views
Configure NGINX reverse proxy to verify client certificate custom field
I would like to verify a client certificate "custom" field directly with NGINX before returning it to the actual page.
As I understand from here:
http://nginx.org/en/docs/http/ngx_http_ssl_module....
2
votes
1
answer
2k
views
Should I use a public or a internal CA for client certificate / mTLS?
I am configuring an Azure App Gateway for mutual authentication (mTLS). This question is more generally about when and when not to use public vs internal CAs for client certificates / mutual ...
2
votes
0
answers
2k
views
NGINX Client Certificate with Indirect CRL
I'm trying to implement mTLS using Nginx SSL Module. Everything works fine until I give Nginx CRL files concatenated in PEM format because one of the CRL is an Indirect CRL.
The chain for a leaf ...
2
votes
1
answer
1k
views
Lighttpd Client Certificate Authentication
I'm trying to enable client certificate authentication with lighttpd using my own internal windows CA's.
Disclaimer: I'm still very new to PKI :D
I have an offline root CA and a subordinate CA in my ...
2
votes
1
answer
2k
views
How to add checks for multiple specific ssl_client_fingerprints in Nginx configuration?
In addition to usual CA chain validation, I would like Nginx server section to permit specific client certificate thumbprints only.
I could find how to check for single fingerprint, but I'm not sure ...
1
vote
1
answer
7k
views
List all client certificates installed on user profiles in a domain
I'm taking initial steps to start securing a network, and I've come across the fact that a number of machines have Client Certificates for websites installed in the user client certificate store, ...
1
vote
1
answer
838
views
Apache 2.4: Require client certificate only for non-GET methods
We have an internal service running on HTTP with an Apache 2.4 instance (Debian Bullseye) put in front of it as a proxy for HTTPS. Apache and HTTPS are up and running, but an additional requirement is ...
1
vote
0
answers
663
views
Debug client certificate authentification in Firefox
I'm having trouble determining why Firefox is not applying client certificate authentification in a particular situation.
I have a self-signed client certificate issued for a specific site (nginx ...
1
vote
0
answers
1k
views
Nginx reverse proxy with client-certificate authentication
I understand I can have nginx to check client certificate before forwarding requests; something along the lines:
server {
listen 443 ssl;
server_name my.server.com;
ssl_certificate /...
0
votes
1
answer
1k
views
Is a windows user really needed for IIS client certificate authorization, if so how to set this user's privileges?
I had originally posted this question in securitystackexchange, but I didn't get the answer I was expecting, and I see the topic can also fit here.
I need to connect two servers in different ...
0
votes
1
answer
3k
views
Can you create an mTLS connection while using an SSL Proxy?
I am using an SSL/TLS Proxy, meaning I have installed a CA on all my clients that allows me to break/decrypt their TLS connections.
I’m trying to determine what would happen to an mTLS connection and ...
0
votes
1
answer
465
views
Overriding "SSL client : No" for a specific nginx vitual server
I have a bunch of clients (too many to easily retrofit) each holding a single certificate (signed by a non-standard CA over which I have no control; I just generated the CSRs).
Now I need to setup a &...
0
votes
1
answer
10k
views
curl - SSL peer does not support certificates of the type it received
Trying to send a request with a client certificate to an Apache server, I have the following request and error:
$ curl -X POST https://my-server.com/dummy/user -H 'Cache-Control: no-cache' -H '...
0
votes
0
answers
58
views
Conditional SSL client certificate request with nginx
Is is possible to make the SSL client certificate request conditional depending on the IP range of the user with nginx?
ssl_verify_client optional always sends the request, but does not fail when no ...
0
votes
0
answers
24
views
Nginx as reverse proxy for Gitblit with client certificate authentication. Peer closed connection in SSL handshake while SSL handshaking to upstream
We used the nginx as reverse proxy for the gitblit with client certificate authentication.
Given the nginx configuration as below.
server {
listen 443 ssl http2 default_server;
server_name _;
...
0
votes
0
answers
22
views
How do I create a Service Hook Web Hook in Azure DevOps using a client certificate?
the service I want to connect my webhook to requires a client certificate when communicating via SSL/TLS. I already downloaded the certificate files, how can I add my certificate to the service hook / ...
0
votes
0
answers
165
views
NGINX: Is it possible to configure mTLS without an ssl_client_certificate?
The system I am working with allows clients to register their public keys for mTLS with an application server. We would like our client's applications to establish an mTLS connection with an NGINX ...
0
votes
0
answers
213
views
Apache - authorize users either by client certificate or by ldap group membership
I use Apache as a reverse proxy to check the authorization of incoming requests. Until now only Kerberos was provided as authentication method for "/" and client certificates for "/api&...
0
votes
0
answers
852
views
How to debug ssl_client_verify = NONE while the client cert is supplied?
We've a nginx setup running on docker.
nginx version: 1.13.11
openssl version 1.1.1
docker os image: Ubuntu 18.04.2 LTS docker container running on an aws ec2 instance running: 18.04.6 LTS (Bionic ...
0
votes
1
answer
5k
views
How to debug OpenSSL SSL_read: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure, errno 0
We have a nginx setup with client certificate authentication running on docker, we are only using these ssl settings:
ssl_protocols TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:...
0
votes
0
answers
43
views
How to permit only certain e-mail clients for IMAP access
My company is giving out new Android smartphones to employees, and they should be able to manage their e-mail on them. Currently, only access via webmail is enabled, but the mobile webmail client (...
0
votes
1
answer
163
views
IIS Client Certificate Authorization working locally but not remotely
I have been attempting to set up client cert authorization on an IIS endpoint. Following the tutorial at https://joji.me/en-us/blog/how-to-create-an-iis-website-that-requires-client-certificate-using-...
0
votes
1
answer
3k
views
How to make Firefox prompt for Windows's own certificate store's client certificates?
As per this blog post it should be possible:
https://blog.mozilla.org/security/2020/04/14/expanding-client-certificates-in-firefox-75/
Yet when browsing a site which asks for a client certificate it ...
0
votes
0
answers
713
views
CRL revocation check fails yet can retrieve file
I have an IIS server on a 2016 box (IIS v10 it says) which is being used to authenticate a unix server via a certificate. I have confirmed connectivity to the internal CRL server, I can telnet to it, ...
0
votes
1
answer
949
views
X-ARR-ClientCert not passing from Azure Web App Reverse proxy to another Azure Web App
I've setup a reverse proxy in an Azure Web App instance that's rewriting the URL and forcing SSL to our main Azure Web App .NET Application. It's been running well.
We want to deploy client ...
0
votes
1
answer
148
views
Choose Client Certificate dialog in FF displays only a subset of available client certs
problem:
We have an application here using client certificate authentication. This has been working without any issues for years, but now several clients are experiencing the following issue in FF and ...
0
votes
0
answers
1k
views
Deployed certificate to Personal store using GPO
I am trying to find a user GPO to install a certificate in the personal store (this is a browser certificate and if installed in other stores it won't work so it has to be installed in the Personal ...
0
votes
1
answer
714
views
OCSP client certificate validation
For a home automation project I have created an API (written in ASP.NET so hosted in IIS) and written my own Android app to communicate with this API. To prevent people from accessing specific ...
0
votes
0
answers
326
views
apache/php not getting client certificates
We wanted to use client certificates in browsers for some of our users for machine identification. I set up a CA and and signed a client certificate which I installed in chrome.
Then I set the ...
0
votes
0
answers
120
views
Is there a way to configure IIS to tell us we received an untrusted client certificate?
We have a Web API endpoint configured to allow, but not require, client certificates.
We're logging the certificate we receive, then checking to make sure it is what we expect, logging the result, ...
0
votes
0
answers
46
views
Assigning third-party client certificates/keys to Active Directory users
In our organization, we have a number of third-party vendors that we must interact with using client certificates. We'd like to be able to assign certificates/keys to a particular Active Directory ...
-1
votes
1
answer
46
views
I try to use nginx as a reverse proxy with validating client certifikate and I want to check OU in client certificate. Always return 404
Here is my configuration.
server {
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
server_name _;
ssl_certificate /etc/ssl/certs/nginx-self.crt;
...
-1
votes
0
answers
15
views
Ubuntu - Nginx client cert authentication: is a public CA a security risk?
I am struggling with a Nginx setup as reverse proxy with client certificate authentication. The client is only accepting publicly signed certificates to be imported as client certificates for ...
-2
votes
1
answer
491
views
MTLS on Nginx that works with client side Android Apps?
Is there a way to pull off MTLS/Two-Way SSL/Client Certificates that work on unrooted v10+ Android Clients on the cheap?
I have a couple of personal api end points that I want to be publicly ...