Client Certificate Restrictions

TL;DR

Yes, you can restrict which client certificates a server will accept by checking their issuer against the server’s certificate chain. This is done during the TLS handshake and provides an extra layer of cyber security.

How to Restrict Client Certificates

1. Understand the Concept: The core idea is that you verify the client certificate’s issuing Certificate Authority (CA) matches a trusted CA associated with your server’s certificate. This prevents rogue certificates from being used.
   • Your server has a certificate issued by a specific CA (e.g., Let’s Encrypt, DigiCert).
   • You only want to accept client certificates that are ultimately signed by CAs you trust – often the same one or a parent CA.
2. Configure Your Web Server: The exact configuration depends on your web server (Apache, Nginx, IIS). Here’s how it works for common servers:
   • Apache: Use the SSLCARevocationFile and SSLClientCertificateChainFile directives in your virtual host configuration. You’ll need to create a file containing trusted CA certificates.

     
     <VirtualHost *:443>
         ServerName example.com
         ...
         SSLEngine on
         SSLCertificateFile /path/to/your/server.crt
         SSLCACertificateChainFile /path/to/trusted_ca_chain.pem
         SSLClientCertificateChainFile /path/to/client_ca_chain.pem
     </VirtualHost>
     

   • Nginx: Use the ssl_client_certificate directive in your server block configuration.

     
     server {
         listen 443 ssl;
         server_name example.com;
         ...
         ssl_certificate /path/to/your/server.crt;
         ssl_trusted_certificate /path/to/trusted_ca_chain.pem;
         ssl_client_certificate /path/to/client_ca_chain.pem;
     }

   • IIS: Use the Certificate Mapping feature in IIS Manager to specify which CAs are trusted for client authentication.
     • Open IIS Manager.
     • Select your server.
     • Double-click ‘Server Certificates’.
     • Add a certificate mapping, specifying the trusted root CA certificates.
3. Create the Trusted CA Chain File: This file contains the PEM-encoded certificates of all CAs in the chain of trust leading up to your server’s root CA.
   • Download the root and intermediate CA certificates from your CA provider’s website.
   • Concatenate these certificates into a single file (trusted_ca_chain.pem). The order is important: Root CA first, then any intermediate CAs.

     cat root_ca.pem intermediate_ca1.pem intermediate_ca2.pem > trusted_ca_chain.pem

4. Restart Your Web Server: After making changes to the configuration, restart your web server for the new settings to take effect.
   • Apache: sudo systemctl restart apache2
   • Nginx: sudo systemctl restart nginx
   • IIS: Restart IIS through the IIS Manager.
5. Test Your Configuration: Use a client with a valid certificate (issued by one of your trusted CAs) and an invalid certificate to verify that only the valid certificate is accepted.
   • Tools like openssl s_client can be used for testing.
   • Check your server logs for errors related to client certificate validation failures.

Important Considerations

• Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol (OCSP): For enhanced cyber security, consider using CRLs or OCSP stapling to check if client certificates have been revoked. This adds another layer of verification.
• Client Certificate Authentication Enabled: Ensure that client certificate authentication is actually enabled on your server before attempting restrictions.
• Logging and Monitoring: Monitor your server logs for any issues related to client certificate validation.