One-Way SSL Authentication

TL;DR

This guide explains how to authenticate a client using one-way SSL (TLS). The server verifies the client’s certificate, but the client doesn’t verify the server’s. This is useful when you trust your infrastructure and want clients to prove their identity.

Steps

1. Generate a Certificate Signing Request (CSR) for the Client:
   • Use OpenSSL or a similar tool on the client machine.
   • This creates a private key and CSR file.

   openssl req -newkey rsa:2048 -nodes -keyout client.key -out client.csr

2. Sign the CSR with your Certificate Authority (CA):
   • Submit the client.csr to your CA. This could be a public CA or an internal one you manage.
   • The CA will issue a client certificate (e.g., client.crt).
3. Configure the Server:
   • Most web servers (Apache, Nginx, etc.) support SSL/TLS configuration.
   • You’ll need to tell the server which CA certificates to trust for client authentication.
   • Add the CA certificate that signed the client certificate to your server’s trusted certificate store. The exact method varies by server software.
4. Enable Client Certificate Authentication on the Server:
   • Configure the server to require or request a client certificate. ‘Require’ means connections will fail without one; ‘Request’ allows connections with or without a certificate.
   • For Apache, this often involves editing your virtual host configuration file:

   <VirtualHost *:443>
     SSLEngine on
     SSLCertificateFile server.crt
     SSLCertificateKeyFile server.key
     SSLCACertificateFile ca.crt <-- Add this line, pointing to your CA certificate
     SSLVerifyClient require
   </VirtualHost>

5. For Nginx:

server {
    listen 443 ssl;
    ssl_certificate server.crt;
    ssl_certificate_key server.key;
    ssl_trusted_certificate ca.crt; <-- Add this line, pointing to your CA certificate
    ssl_verify_client on;
    ssl_verify_depth 1;
}

6. Configure the Client:
   • The client application needs to be configured to use its private key (client.key) and certificate (client.crt).
   • How this is done depends on the application. Many applications have specific settings for SSL/TLS certificates.
   • For example, in curl:

   curl --cert client.crt --key client.key https://yourserver.com

7. Test the Connection:
   • Attempt to connect to your server from the client machine.
   • If configured correctly, the server should verify the client’s certificate before allowing the connection.
   • Check server logs for any errors related to certificate validation.

Important Considerations

• Security: One-way SSL is less secure than mutual TLS (two-way SSL) because the client doesn’t verify the server’s identity. Use it only when you fully trust your server infrastructure.
• CA Management: Properly manage your CA and protect its private key. Compromised CA keys can lead to significant security breaches.
• Revocation: Implement a Certificate Revocation List (CRL) or Online Certificate Status Protocol (OCSP) to revoke compromised client certificates quickly.