Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to read TLS certificate sent by a client on the server side?

I am trying to call a service with mutual TLS using the Curl command.

Curl command used:

curl -k -vvvv \   --request POST \   --header "Content-Type: application/json" \   --cert client.pem:password \   --key key.pem \   "https://test.com:8443/testing" 

I am trying to find out the following:

  1. What is the HTTP request header that I should be looking at the server-side to pull out the client certificate from the HTTP request?

  2. If I cannot pull out the client certificate on the server side from the HTTP request, can I add a custom request header in the HTTP request and send the client certificate as a value of that custom header? It would be great if someone could provide an example of this approach.

like image 963
sunsin1985 Avatar asked Jul 08 '15 23:07

sunsin1985


People also ask

How do you read a TLS certificate?

For most browsers, look to see if a site URL begins with “https,” which indicates it has an SSL certificate. Then click on the padlock icon in the address bar to view the certificate information.

How do I view an SSL certificate in Windows Server?

To view certificates for the current userSelect Run from the Start menu, and then enter certmgr. msc. The Certificate Manager tool for the current user appears. To view your certificates, under Certificates - Current User in the left pane, expand the directory for the type of certificate you want to view.

How does client verify server certificate in TLS?

SSL-enabled client software always requires server authentication, or cryptographic validation by a client of the server's identity. The server sends the client a certificate to authenticate itself. The client uses the certificate to authenticate the identity the certificate claims to represent.


2 Answers

This is how I did it:

curl -v \   --key ./admin-key.pem \   --cert ./admin.pem \   https://xxxx/api/v1/ 
like image 193
reachlin Avatar answered Oct 01 '22 07:10

reachlin


A client sends a TLS certificate when mutual TLS is used.

In the mutual TLS handshake, the TLS client certificates are not sent in HTTP headers. They are transmitted by the client as part of the TLS messages exchanged during the handshake, and the server validates the client certificate during the handshake. Broadly there are two parts to the mTLS handshake, the client validates and accepts the server certificate and the server validates and accepts the client certificate.

If the client certificate is accepted, most web servers can be configured to add headers for transmitting the certificate or information contained on the certificate to the application. Environment variables are populated with certificate information in Apache and Nginx which can be used in other directives for setting headers.

As an example of this approach, the following Nginx config snippet will validate a client certificate, and then set the SSL_CLIENT_CERT header to pass the entire certificate to the application. This will only be set when then certificate was successfully validated, so the application can then parse the certificate and rely on the information it bears.

server {     listen 443 ssl;     server_name example.com;     ssl_certificate /path/to/chainedcert.pem;  # server certificate     ssl_certificate_key /path/to/key;          # server key      ssl_client_certificate /path/to/ca.pem;    # client CA     ssl_verify_client on;     proxy_set_header SSL_CLIENT_CERT $ssl_client_cert;      location / {         proxy_pass http://localhost:3000;     } } 
like image 25
frasertweedale Avatar answered Oct 01 '22 06:10

frasertweedale