I have a fully implemented TLS Lets Encrypt configuration and it all works fine.
Users log in to the secure website with their username and password,
I want to follow this guide to client side certificates https://gist.github.com/mtigas/952344
rather than using a self signed CA I’d like to use my LetsEncrypt certificate to authenticate user certificates.
*I’ve never used client certificates before, i’ve used user keys from openssl for ssh.
The aim of this is for users to login using the user/pass and then be able to create a certificate, to store and no longer require password based logon.
While certificates issued by Let’s Encrypt have the id-kp-clientauth extension typically required for client authentication, private CAs are usually the better approach here. Let’s Encrypt issues Domain Validation certificates, so you’re basically handing out certificates (and private keys) for whatever domain you decide to put in the certificate. That’s not to mention that you’ll run into rate-limits quite quickly (5 per identical domain per week, 20 per registered domain per week). It’s also not really necessary (in this case) to trust a third-party never to mis-issue a certificate that you might end up accepting as a login mechanism, so a private CA is likely the safer option as well.