Nginx + mkcert + client certificates

Supplemental notes for the MacSyAdmin 2021 conference talk: What about mutual TLS?

This guide should accompany the talk on setting up the lab to experiment with mutual-TLS configurations.

• Find the video here: https://docs.macsysadmin.se/2021/video/Day2Session4.mp4
• See the slides here: https://docs.macsysadmin.se/2021/pdf/WhatAboutMutualTLS.pdf

Note: This is only a lab setup - so not intended for production. For this you should use a real CA, MDM to provide certificates, Nginx with OCSP stapling and so on.

The notes in this post are published under the “fit to your needs” disclaimer.

(Hat tip @ Ed Marczak, Oct 2021 ;-)

Prerequistes #

• ssh access to Ubuntu VM or RaspberryPi
• Nginx already installed

mkcert setup #

Download and install #

1. Locate latest release of mkcert https://github.com/FiloSottile/mkcert/releases

2. Get to download current mkcert release (simply load the right one for your platform)

# arm/raspi
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-linux-arm

# amd64/linux
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64

# darwin/macOS
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-darwin-amd64

• Copy mkcert install to /usr/local/bin/

sudo cp mkcert-v1.4.3-linux-arm /usr/local/bin/mkcert

• Make mkcert executable

sudo chmod +x /usr/local/bin/mkcert

Create a new local CA, certificate for web-server #

1. The local CA will be installed in the system trust store

mkcert -install

• Create a TLS certificate (used for NGINX)

mkcert nginx.acme.com

• Copy certificate and private key

sudo mkdir -p /etc/nginx/certs && sudo cp nginx.acme.com* /etc/nginx/certs

Create a client certificate #

1. Create a client certificate (in PKCS#12 format) as a .p12 file

• Legacy PKCS#12 encryption password is the hardcoded default changeit

mkcert -client -pkcs12 jappleseed

In example above we’ve created a new certificate valid for the following name jappleseed

Nginx setup #

• Copy the template (find it here)

sudo cp custom.conf /etc/nginx/sites-enabled/

• Validate nginx conf

sudo nginx -t

• Copy the root.pem as the client_root_ca to be used for validating our client certificate

sudo cp /home/ubuntu/.local/share/mkcert/rootCA.pem /etc/nginx/certs/root.pem

• Validate nginx conf

sudo nginx -t

• Copy some content to or adapt the directory shared in nginx conf (of course you can start copy over a full Munki repo ;-)

sudo cp  -r /usr/share/nginx/html /usr/share/nginx/content

• Restart nginx

sudo systemctl restart nginx.service 

Useful Links #

• how-to-use-systemctl-to-manage-systemd-services-and-units
• an alternative open source CA to experiment with: https://smallstep.com/docs/step-ca