CLient Certificate


#1

My domain is:
jenkins.test.rsmgateway.com

I ran this command:
I’m using the generated certificate for above for doing the both the Server & Client validation. Just to give a scenario , I have applied the same generated cert at “Kubernetes Ingress” level & at the Pod(Nginx process running) Level .

It produced this output:
Since the generated cert " Extended Key usage" field specifies both Server & Client validation hence I was expecting the above workflow from Kubernetes Ingress to Pod should work seamlessly.

The operating system my web server runs on is (include version):
Using Kuberntes to run Nginx web server and to which the request should come from Kubernetes Ingress controller.

Error+
I’m getting SSL error while accessing the Kubernetes ingress controller.

400 The SSL certificate error

400 Bad Request

The SSL certificate error
nginx/1.15.7

Please suggest what is wrong in my approach , can’t I use the same LE certificate for both server & Client validation . If not then what is the purpose of Extended key usage field which specifies both Client & Server cert.


#2

Hi @jgdvivek

checking your site with my FireFox:

https://jenkins.test.rsmgateway.com/

400 Bad Request

The plain HTTP request was sent to HTTPS portnginx/1.15.7

This doesn’t look like a problem with a client certificate. Your server sends http to a https port.

Same error with Chrome.


#3

@JuergenAuer Thanks, there was some other issue. Its working now,

But just want to confirm is this assumption correct that the LE issued certificates can be used for Server as well as Client authentication since the " Extended Key usage" field specifies both Server and Client validation.

Please confirm & thanks for the help


#4

Yep, now I see a standard nginx page with a valide Letsencrypt certificate.

I don’t know if this works. I have never used client certificates.


#5

Yes, they can be used for client authentication. However, it’s practical use isn’t that big IMHO. A private CA for client authentication has more potential.

If LE is used, you might want to consider some sort of user-subdomain with a per-user sub-subdomain or something like that. It’s not very wise to use just a single certificate for all users, because that would require sharing the private key and makes revoking the certificate a living hell.


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.