A simple example on how to do client authentication with certificates - mutual TLS (mTLS).
Required tools as OpenSSL, Docker and Node.js need to be installed on the machine running the project.
Before running the example create certificate authority (CA)
, server
and client
certificates with the create_certs.sh
script.
A detailed description of each step can be found within the script.
./script/create_certs.sh
# Output
Enter path for certificates directory (default: certs): ./certs
Enter certificate authority (CA) name (default: mtls_ca): my_ca
# ...
With the above example a directory certs
will be created in the root directory and puts the following certificates in there:
- Certificate Authority
- ca.crt
- ca.key
- ca.srl
- Server
- server.crt
- server.csr -- Certificate Signing Request (CSR)
- server.key
- Client
- client.crt
- client.csr -- Certificate Signing Request (CSR)
- client.key
When starting the application notice the comments below and adjust the code if necessary.
Make sure docker
and docker-compose
are up and running.
Also be aware that ports 3000
, 80
and 443
are not occupied already. In case the ports are used by another application, adapt the configuration in ./docker-compose.yml, ./nginx-server/proxy.conf and ./node-server/server.js.
If there has been chosen a certificates directory different to the default path ./certs
, please adjust the path inside ./docker-compose.yml
.
...
volumes:
- ./{directory to certificates}/server.crt:/etc/ssl/server.crt
- ./{directory to certificates}/server.key:/etc/ssl/server.key
- ./{directory to certificates}/ca.crt:/etc/nginx/client_certs/ca.crt
...
All requirements are met? - Let's get ready to spin up the servers with
docker-compose build
docker-compose up
Alternatively combine both commands into one:
docker-compose up --build
Both servers NGINX
and the Node JS Express
server should be available then.
In order to verify the server is working correctly, start testing with an appropriate tool of any choice. Below examples are executed with cURL
.
curl https://localhost \
--cacert certs/ca.crt \
--key certs/client.key \
--cert certs/client.crt
# successfull response with message should be returned
It depends on how the machine you're testing with is set up: not just NGINX
can be called also the Node JS
application can be directly accessed with client certificates.
curl https://localhost:3000 \
--cacert certs/ca.crt \
--key certs/client.key \
--cert certs/client.crt
# successfull response with message should be returned
Of course - nobody is perfect. While testing some errors can occur...
A list of errors ...
curl: (60) SSL certificate problem: unable to get local issuer certificate
Check if ca.crt
file is provided and the correct one hase been chosen.
<html>
<head><title>403 Forbidden</title></head>
<body>
<center><h1>403 Forbidden</h1></center>
<hr><center>nginx/1.17.10</center>
</body>
</html>
Make sure the command consists of all necessary client certificates needed to authenticate with the server.
This project is licensed under the MIT License - see the LICENSE.md file for details