Demonstration of mutual authentication (client cert auth) with a custom CA enforced by Nginx
- docker
- docker-compose
- openssl
- generate CA certs and keys in
certs/root-ca/
:make ca-cert
- generate nginx certs (self signed for example purposes)
certs/nginx/
:make nginx-cert
- stand up the nginx w/ certs on port 8000 with a backing python flask server:
make up
- prove the server rejects cert-less requests:
curl localhost:8000
- generate some "untrusted" certs in
certs/untrusted/
withmake untrusted
- prove the server rejects those with
scripts/client_curl.sh untrusted
- Pretend to be a client and run
scripts/generate_csr.sh NAME
to put a private key and CSR incerts/NAME/
- If you trust them, run
scripts/sign_csr.sh NAME
to create a signed cert incerts/NAME/
- Verify that the signed cert is accepted and the certified information is echoed back by the Python with
scripts/client_curl.sh NAME