Published on

Nginx + mkcert + Client Certificates

Authors
  • Name

Tags:mTLSConferenceMacSysAdminTerminal

Supplemental notes for the MacSysAdmin 2021 conference talk: What About Mutual TLS?

This guide accompanies the talk on setting up a lab to experiment with mutual-TLS configurations.

Note: This is only a lab setup and is not intended for production use. For production environments, consider a real CA, MDM for certificate provisioning, Nginx with OCSP stapling, and other best practices.

Disclaimer: Fit to your needs. Hat tip to Ed Marczak, Oct 2021.

Prerequisites

  • SSH access to an Ubuntu VM or Raspberry Pi
  • Nginx installed

mkcert Setup

Download and Install

  1. Locate the latest release of mkcert on GitHub.

  2. Download the current mkcert release for your platform:

    bash
    # ARM/Raspberry Pi
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-arm

# AMD64/Linux
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64

# macOS/Darwin
wget https://github.com/FiloSottile/mkcert/releases/download/v1.4.3/mkcert-v1.4.3-darwin-amd64

  3. Copy the downloaded mkcert binary to /usr/local/bin/:

    bash
    sudo cp mkcert-v1.4.3-linux-arm /usr/local/bin/mkcert

  4. Make the binary executable:

    bash
    sudo chmod +x /usr/local/bin/mkcert

Create a New Local CA and Certificates

  1. Install the local CA into the system trust store:

    bash
    mkcert -install

  2. Generate a TLS certificate for Nginx:

    bash
    mkcert nginx.acme.com

  3. Copy the certificate and private key to the appropriate directory:

    bash
    sudo mkdir -p /etc/nginx/certs && sudo cp nginx.acme.com* /etc/nginx/certs

Create a Client Certificate

  1. Generate a client certificate in PKCS#12 format:

    zsh
    mkcert -client -pkcs12 jappleseed

    The certificate will be valid for the specified name, e.g., jappleseed.

Nginx Setup

  1. Copy the provided Nginx configuration template:

    zsh
    sudo cp custom.conf /etc/nginx/sites-enabled/

  2. Validate the Nginx configuration:

    zsh
    sudo nginx -t

  3. Copy the root CA certificate for client certificate validation:

    bash
    sudo cp /home/ubuntu/.local/share/mkcert/rootCA.pem /etc/nginx/certs/root.pem

  4. Revalidate the Nginx configuration:

    zsh
    sudo nginx -t

  5. Populate or adapt the directory shared in the Nginx configuration. For example, copy a Munki repo:

    bash
    sudo cp -r /usr/share/nginx/html /usr/share/nginx/content

  6. Restart the Nginx service:

    zsh
    sudo systemctl restart nginx.service