Supplemental notes for the MacSyAdmin 2021 conference talk: What about mutual TLS?

This guide should accompany the talk on setting up the lab to experiment with mutual-TLS configurations.


Note: This is only a lab setup - so not intended for production. For this you should use a real CA, MDM to provide certificates, Nginx with OCSP stapling and so on.

The notes in this post are published under the “fit to your needs” disclaimer.

(Hat tip @ Ed Marczak, Oct 2021 ;-)

Prerequistes

  • ssh access to Ubuntu VM or RaspberryPi
  • Nginx already installed

mkcert setup

Download and install

  1. Locate latest release of mkcert https://github.com/FiloSottile/mkcert/releases

  2. Get to download current mkcert release (simply load the right one for your platform)

# arm/raspi
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-linux-arm

# amd64/linux
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-linux-amd64

# darwin/macOS
wget https://github.com/FiloSottile/mkcert/\
releases/download/v1.4.3/mkcert-v1.4.3-darwin-amd64
  • Copy mkcert install to /usr/local/bin/
sudo cp mkcert-v1.4.3-linux-arm /usr/local/bin/mkcert
  • Make mkcert executable
sudo chmod +x /usr/local/bin/mkcert

Create a new local CA, certificate for web-server

  1. The local CA will be installed in the system trust store
mkcert -install
  • Create a TLS certificate (used for NGINX)
mkcert nginx.acme.com
  • Copy certificate and private key
sudo mkdir -p /etc/nginx/certs && sudo cp nginx.acme.com* /etc/nginx/certs

Create a client certificate

  1. Create a client certificate (in PKCS#12 format) as a .p12 file
  • Legacy PKCS#12 encryption password is the hardcoded default changeit
mkcert -client -pkcs12 jappleseed

In example above we’ve created a new certificate valid for the following name jappleseed

Nginx setup

  • Copy the template (find it here)
sudo cp custom.conf /etc/nginx/sites-enabled/
  • Validate nginx conf
sudo nginx -t
  • Copy the root.pem as the client_root_ca to be used for validating our client certificate
sudo cp /home/ubuntu/.local/share/mkcert/rootCA.pem /etc/nginx/certs/root.pem
  • Validate nginx conf
sudo nginx -t
  • Copy some content to or adapt the directory shared in nginx conf (of course you can start copy over a full Munki repo ;-)
sudo cp  -r /usr/share/nginx/html /usr/share/nginx/content
  • Restart nginx
sudo systemctl restart nginx.service