SSL logon with X509 certificates


#1

Dear community,

I would like to authenticate on my https servers with X509 certificates. There are a number of situations where it is quite useful. For example, I am running a small Zabbix server under SSL. I want to authenticate using certificates to be sure I am the only https user. Later, I would like to use OpenSC and smartcards for SSL logon.

Using CAcert, I can create a certificate for my server and then issue client certificates and use them to authenticate against my server. I guess this is called TLS authentication with X509 certificates, but I am not very sure. This is working quite well.

Is that possible with Let’s Encrypt ? Do I need to create a small CA, issue a CSR for my server, sign it with Let’s Encrypt and then use it to sign client certificates.

If that possible? Anyone with a comparable setup?

Kind regards,
Alexandre Belgrand


#2

I would like to use one-way or two-way authentication as explained here:
https://linuxconfig.org/apache-web-server-ssl-authentication

This is only possible with a self-signed CA or CAcert.

Any way to authenticate using a second certificate from Letsencrypt?

Please confirm.


#3

Hi @abelgrand,

There are a number of previous threads discussing the fact that Let’s Encrypt has no plans to support issuing client certificates.

https://community.letsencrypt.org/search?q=%22client%20certificates%22

You can simply create a small CA and then use it to sign client certificates. Since your servers are the only ones validating these, you don’t need Let’s Encrypt in the loop at all! You can simply tell your servers that your own CA is trusted to sign certificates for client authentication.