mTLS Client Authorisation by Distinguished Name

TL;DR

This guide shows you how to authorise clients using mutual TLS (mTLS) based on the distinguished name (DN) found in their certificates. We’ll use OpenSSL and a simple configuration file for demonstration, but the principles apply to most certificate authorities and web servers.

Prerequisites

• OpenSSL installed
• A basic understanding of TLS/SSL
• Access to your server’s configuration files (e.g., Apache, Nginx)

Step 1: Generate Client Certificates

First, you need client certificates with unique distinguished names. If you already have these, skip this step.

Creating a Certificate Authority (CA)

openssl genrsa -out ca.key 2048

openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Creating Client Certificates

Replace the values in the prompts with appropriate information for each client.

openssl genrsa -out client1.key 2048

openssl req -new -key client1.key -out client1.csr

openssl x509 -req -in client1.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client1.crt -days 365 -sha256

Repeat the above steps for each client, changing ‘client1’ to a unique name (e.g., client2, client3).

Step 2: Configure Your Server

The configuration depends on your web server. Here’s an example using Apache.

Apache Configuration

Edit your virtual host file (e.g., /etc/apache2/sites-available/your_site.conf). Add the following directives within a <VirtualHost> block:

<VirtualHost *:443>

  SSLEngine on

  SSLCertificateFile /path/to/ca.crt

  SSLCACertificateFile /path/to/ca.crt

  SSLVerifyClient require

  SSLVerifyDepth 1

  # Optional: Check specific DN attributes

  SSLCertificateDNMatch "CN=client1" # Example for a single client. Use multiple directives for more clients.

</VirtualHost>

Important: Replace /path/to/ca.crt with the actual path to your CA certificate.

The SSLVerifyClient require directive forces mTLS authentication. SSLVerifyDepth 1 sets the maximum depth of certificate verification.

Step 3: Testing Client Authorisation

Using curl

curl --cert client1.crt --key client1.key https://your_domain.com

If the configuration is correct, you should receive a successful response (e.g., your website’s content). If not, check your server logs for errors.

Multiple Clients

For multiple clients, add separate SSLCertificateDNMatch directives for each client’s distinguished name. Alternatively, use a more sophisticated method like scripting or a database lookup to dynamically verify the DN against an allowed list.

Step 4: Troubleshooting

• Certificate Errors: Ensure your CA certificate is correctly configured and trusted by the server.
• Connection Refused: Check firewall rules and ensure the server is listening on port 443.
• Server Logs: Examine Apache’s error logs (usually in /var/log/apache2/error.log) for detailed information about authentication failures.