Skip to main content

Nginx + mkcert + client certificates

·2 mins

Supplemental notes for the MacSyAdmin 2021 conference talk: What about mutual TLS?

This guide should accompany the talk on setting up the lab to experiment with mutual-TLS configurations.

Note: This is only a lab setup - so not intended for production. For this you should use a real CA, MDM to provide certificates, Nginx with OCSP stapling and so on.

The notes in this post are published under the “fit to your needs” disclaimer.

(Hat tip @ Ed Marczak, Oct 2021 ;-)

Prerequistes #

  • ssh access to Ubuntu VM or RaspberryPi
  • Nginx already installed

mkcert setup #

Download and install #

  1. Locate latest release of mkcert

  2. Get to download current mkcert release (simply load the right one for your platform)

# arm/raspi

# amd64/linux

# darwin/macOS
  • Copy mkcert install to /usr/local/bin/
sudo cp mkcert-v1.4.3-linux-arm /usr/local/bin/mkcert
  • Make mkcert executable
sudo chmod +x /usr/local/bin/mkcert

Create a new local CA, certificate for web-server #

  1. The local CA will be installed in the system trust store
mkcert -install
  • Create a TLS certificate (used for NGINX)
  • Copy certificate and private key
sudo mkdir -p /etc/nginx/certs && sudo cp* /etc/nginx/certs

Create a client certificate #

  1. Create a client certificate (in PKCS#12 format) as a .p12 file
  • Legacy PKCS#12 encryption password is the hardcoded default changeit
mkcert -client -pkcs12 jappleseed

In example above we’ve created a new certificate valid for the following name jappleseed

Nginx setup #

  • Copy the template (find it here)
sudo cp custom.conf /etc/nginx/sites-enabled/
  • Validate nginx conf
sudo nginx -t
  • Copy the root.pem as the client_root_ca to be used for validating our client certificate
sudo cp /home/ubuntu/.local/share/mkcert/rootCA.pem /etc/nginx/certs/root.pem
  • Validate nginx conf
sudo nginx -t
  • Copy some content to or adapt the directory shared in nginx conf (of course you can start copy over a full Munki repo ;-)
sudo cp  -r /usr/share/nginx/html /usr/share/nginx/content
  • Restart nginx
sudo systemctl restart nginx.service