In this article, we’ll discuss how to configure and setup NGINX server and its client to use SSL TLS X.509 server and client certificates for Mutual TLS(mTLS) authentication.
We’ll also show you how to turn on both server certificate identity verification and client certificate identity verification in the NGINX configuration, so that you could enforce Zero Trust Security over all HTTP connection requests originating from end users.
You can use the same procedure to create SSL TLS X.509 server certificates and client certificates to setting up Mutual TLS authentication for any webserver, web proxy or loadbalancer (Nginx,Apache, HAProxy, Apache TomCat), workloads(Docker, Kubernetes pods,Service Mesh), web apps etc.
Mutual TLS (mTLS), also known as two-way SSL authentication, is a security mechanism that requires both the client and server to authenticate each other using TLS certificates. This provides an additional layer of security to your applications and services, as it prevents unauthorized clients from accessing them.
To configure mTLS authentication for your Nginx server, you will need to generate a TLS certificate and private key for the server, as well as a trusted CA certificate for the client. You can use a variety of tools to generate these certificates, such as BastionXP, OpenSSL, Let’s Encrypt.
We will use BastionXP CA to issue TLS X.509 server and client certificates to the NGINX server and its client, respectively. BastionXP is a web based PKI/CA that issues certificates over HTTPS requests.
BastionXP CA is very simple and easy to setup. BastionXP is a open source and open standards based CA which is free to download.
Prerequisites:
You’ll need the following artifacts for this tutorial
- NGINX server
- Curl utility
- BastionXP CA
NGINX Server Download and Install:
Let’s assume you already have a NGINX server installed and running in a server with a domain name nginx.example.com.
If not, visit NGINX Official Website to download and install the server.
Next, let’s create SSL certificates and configure the server and client to use SSL certificates and operate in SSL mode.
Create SSL TLS X.509 Certificates for the NGINX server
Before you can turn on the SSL mode or Mutual TLS authentication for your NGINX server, you need to create self-signed SSL/TLS X.509 certificates for the NGINX server and its client. For this, please refer to the following tutorial:
BastionXP is a free open-source based SSL TLS X.509 certificate management software to automatically generate, renew and manage SSL X.509 certificates for various applications(web server, loadbalancers, web clients, database, web apps, workloads, devices) in your orgnaization.
Once you have created the server and client SSL certificates and the keys, you can move on to the next section.
Configure SSL Certificate for NGINX Server
You can configure Nginx for mTLS authentication by adding the following directives to your Nginx configuration file:
... ssl_certificate server.crt; ssl_certificate_key server.key; ssl_client_certificate ca.crt; ssl_verify_client on; ssl_protocols TLSv1.2; ...
The ssl_certificate and ssl_certificate_key directives specify the locations of the server’s certificate and private key, respectively. The ssl_client_certificate directive specifies the location of the trusted CA certificate for the client. The ssl_verify_client directive enables client certificate verification. The ssl_protocols directive restricts the TLS protocol version to be used for the secure communication.
The following is an example Nginx configuration file that enables mTLS authentication:
server { listen 443 ssl; server_name nginx.example.com;
ssl_certificate server.crt; ssl_certificate_key server.key; ssl_client_certificate ca.crt; ssl_verify_client on; ssl_protocols TLSv1.2;
location / { root /var/www/html; } }
Restart NGINX service
Now, restart the nginx server service to pick up the configuration changes.
$ sudo systemctl restart nginx
$ sudo systemctl status nginx
Configure Curl to use SSL Certificate
We’ll use the curl CLI utility to test the NGINX SSL mTLS configuration is configured correctly. We’ll use the SSL client certificates generated using BastionXP CA in the previous step.
$ curl --cert ~/.bsh/tls_client.crt --key ~/.bsh/tls_client.key --cacert ~/.bsh/tls_root_ca.crt https://nginx.example.com
You’ll get the following HTTP response, which is the home page HTML content of the NGINX web server:
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
html { color-scheme: light dark; }
body { width: 35em; margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif; }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>
If you fail to provide a client certificate and key, curl will throw an error message saying bad certificate was received.
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
Congratulations! You have successfully configured NGINX server to use SSL server and client certificates for mTLS authentication.
Conclusion:
mTLS authentication is a powerful security mechanism that can help you to protect your applications and services from unauthorized access.
By configuring Nginx for Mutual TLS(mTLS) authentication, you can ensure that only authorized clients can access your applications and services.
In this article, you have learnt how to setup and use BastionXP PKI/CA to issue SSL TLS X.509 CA, server and client certificates for mTLS authentication.
You also learnt how to securely connect to a NGINX server over an SSL connection by creating and installing SSL server certificate and SSL client certificate in the NGINX server and its client.
You can use the same procedure to create and configure SSL certificate based mTLS authentication for any web server or loadbalancer - Apache TomCat, Apache Web Server, HAProxy, Traefik etc.
If you have any questions about using BastionXP CA, please write to us at: [email protected]