NGINX - Client Certificate Authentication

January 11, 2026

Summary

This guide sets up Nginx with client certificate authentication on Amazon Linux 2023, requiring clients to present a valid certificate signed by your CA to access the web server. Key steps include installing Nginx with TLS configuration, uploading server and CA certificates, configuring ssl_verify_client on for authentication, and installing client certificates on Windows machines. Common troubleshooting involves temporarily disabling SELinux if it blocks HTTPS traffic.

1. Launch EC2 Instance (Example operations)

# Amazon Linux 2023, t3.micro, in your VPC
# Security Group: Allow 443 from your network

sh-5.2$ cd ~
sh-5.2$ pwd
/home/ssm-user
sh-5.2$ aws s3 cp s3://gcs-share/certs/certs_v06.zip .
download: s3://gcs-share/certs/certs_v06.zip to ./certs_v06.zip
sh-5.2$ ls
certs_v06.zip
sh-5.2$ pwd
/home/ssm-user
sh-5.2$ sudo dnf install -y unzip tree
sh-5.2$ unzip certs_v06.zip
Archive:  certs_v06.zip
   creating: certs/
  inflating: certs/ca-bundle.crt
  inflating: certs/ca.crt
  inflating: certs/client-006.crt
  inflating: certs/client-006.pfx
  inflating: certs/client.key
  inflating: certs/dual-006.crt
  inflating: certs/dual-006.pfx
  inflating: certs/dual.key
  inflating: certs/mid-ca.crt
  inflating: certs/server-006.crt
  inflating: certs/server-006.pfx
  inflating: certs/server.key
sh-5.2$ tree certs
certs
├── ca-bundle.crt
├── ca.crt
├── client-006.crt
├── client-006.pfx
├── client.key
├── dual-006.crt
├── dual-006.pfx
├── dual.key
├── mid-ca.crt
├── server-006.crt
├── server-006.pfx
└── server.key

0 directories, 12 files
sh-5.2$ ^C

2. Install and Configure Nginx

sudo dnf update -y
sudo dnf install -y nginx
sudo systemctl enable nginx

# Create SSL directory
sudo mkdir -p /etc/nginx/ssl
sudo chmod 700 /etc/nginx/ssl

3. Upload Your Certificates

# Copy these files to /etc/nginx/ssl/:
# - server-006.crt (your server certificate)
# - server.key (your server private key)
# - ca-bundle.crt (mid-ca.crt + ca.crt concatenated)
sudo cp certs/* /etc/nginx/ssl/
sudo chmod 600 /etc/nginx/ssl/server.key
sudo chmod 644 /etc/nginx/ssl/ca-bundle.crt
sudo chmod 644 /etc/nginx/ssl/server-006.crt
sudo ls -l /etc/nginx/ssl/

4. Configure Nginx (/etc/nginx/nginx.conf)

events {
    worker_connections 1024;
}

http {
    include /etc/nginx/mime.types;
    default_type application/octet-stream;

    server {
        listen 443 ssl;
        server_name d11-lnx-web01.gcs.cloud;  # <-- SET THE FQDN OF THE SERVER

        # Server certificates
        ssl_certificate /etc/nginx/ssl/server-006.crt;
        ssl_certificate_key /etc/nginx/ssl/server.key;

        # Client certificate authentication
        ssl_client_certificate /etc/nginx/ssl/ca-bundle.crt;
        ssl_verify_client on;

        # SSL settings
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256;
        ssl_prefer_server_ciphers off;

        location / {
            root /usr/share/nginx/html;
            index index.html;

            # Add client cert info to response
            add_header X-Client-Cert-Subject $ssl_client_s_dn;
            add_header X-Client-Cert-Issuer $ssl_client_i_dn;
        }
    }
}

6. Create Sample HTML Page (Optional)

sudo tee /usr/share/nginx/html/index.html > /dev/null << 'EOF'
<!DOCTYPE html>
<html>
<head>
    <title>Client Certificate Authentication Test</title>
</head>
<body>
    <h1>Welcome! Client Certificate Authentication Successful</h1>
    <p>Your client certificate was verified successfully.</p>
    <p>This page requires a valid client certificate to access.</p>
</body>
</html>
EOF

7. Start Nginx

sudo nginx -t
sudo systemctl start nginx
sudo systemctl status nginx

9. Client Setup (Windows machines)

• Install  in “Current User\Personal\Certificates”

GitHub - SSH Settings (ed25519)

January 10, 2026

This workflow ensures:

• Secure key (with passphrase)
• Convenient usage (Keychain remembers passphrase)
• SSH-only workflow → no HTTPS credentials required

1) Check for existing keys (optional)

ls -la ~/.ssh

• Look for id_ed25519 / id_ed25519.pub
• If you already have a key you want to use, skip key generation

2) Generate a new ed25519 key

ed25519 refers to the Ed25519 elliptic-curve algorithm, which is the modern, faster, and more secure replacement for older RSA SSH keys. Replace the email with your GitHub email:

AWS Credentials for CLI (Profile)

December 23, 2025

🚀 Quick Start Guide

• Create a named profile using aws configure --profile [name]
• Never set a default profile permanently
• This avoids accidental operations on the wrong AWS account
• Activate profiles temporarily per session using $env:AWS_PROFILE
• Or activate per command using --profile
• Always clear the active profile when done to prevent unintended AWS operations

✅ 1. Create the profile (once only)

In PowerShell:

aws configure --profile nob

This creates:

• ~\.aws\credentials
• ~\.aws\config

✅ 2. Use the profile temporarily in PowerShell

Option A — Set environment variable only for the current session

AWS STS - Temporary Access Tokens

June 15, 2025

1. Generate Temporary Credentials

First, use the AWS STS (Security Token Service) to generate temporary credentials:

# 3600 x 5 = 18000 (5 hours)
aws sts get-session-token --duration-seconds 18000

This will return something like:

{
    "Credentials": {
        "AccessKeyId": "ASIA...",
        "SecretAccessKey": "...",
        "SessionToken": "...",
        "Expiration": "2025-06-13T..."
    }
}

2. Set Environment Variables

Then set these environment variables:

# Replace the values with your actual credentials from the previous step.
export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
export AWS_SESSION_TOKEN="your_session_token"
export AWS_DEFAULT_REGION="ap-southeast-2"  # Sydney region

3. Verify the environment variables

env | grep AWS

After setting these variables, try running your Python script again. The credentials will be automatically picked up by the AWS SDK.

AWS Credentials for CLI

June 15, 2025

1. Using AWS CLI Configuration

aws configure

This will prompt you to enter:

• AWS Access Key ID
• AWS Secret Access Key
• Default region name
• Default output format

2. Environment Variables

export AWS_ACCESS_KEY_ID="your_access_key"
export AWS_SECRET_ACCESS_KEY="your_secret_key"
export AWS_DEFAULT_REGION="your_region"

3. Credentials File

Create or edit ~/.aws/credentials:

[default]
aws_access_key_id = your_access_key
aws_secret_access_key = your_secret_key

4. Clear AWS CLI Configuration (OPTIONAL)

To clear your AWS CLI credentials, you have several options:

• Delete the credentials file: rm ~/.aws/credentials
• Delete the config file: rm ~/.aws/config
• Clear specific profile: aws configure --profile your_profile_name and press Enter without entering values

# Remove both credentials and config files
rm ~/.aws/credentials ~/.aws/config

After clearing the credentials, you can reconfigure them using any of the methods described above.

OpenSSL - Verify Certificate

April 24, 2025

Verify the certificate

openssl x509 -in server/certs/client.crt -text -noout
openssl x509 -in server/certs/server.crt -text -noout

Verify the certificate chain

# First, concatenate the CA certificates (leaf to root)
cat mid-ca.crt ca.cert > ca-bundle.crt

# Then verify using the chain file
openssl verify -CAfile ca-bundle.crt server/certs/client.crt
openssl verify -CAfile ca-bundle.crt server/certs/server.crt

See also:

OpenSSL - Initial Setup

OpenSSL (1) - Root CA

OpenSSL (2) - Intermediate CA

OpenSSL (3) - Server Certificate

OpenSSL - Revoke Certificate

April 24, 2025

Revoke a certificate

openssl ca -config mid-ca/mid-ca.crt -revoke server/certs/server.crt
cat mid-ca/index

See also:

OpenSSL - Initial Setup

OpenSSL (1) - Root CA

OpenSSL (2) - Intermediate CA

OpenSSL (3) - Server Certificate

OpenSSL (4) - Client Certificate

OpenSSL - Verify Certificate

OpenSSL - Revoke Certificate

OpenSSL (4) - Client Certificate

April 24, 2025

Create a Client Certificate

1. Generate a client key file

openssl genrsa -out server/private/client.key 2048

2. Generate a client Certificate Signing Request (CSR)

openssl req -config mid-ca/mid-ca.conf -key server/private/client.key -new -sha256 -out server/csr/client.csr

e.g., CN=GCS-Client-Certificate-v0x

3. Sign the client CSR using the client_cert extension

openssl ca -config mid-ca/mid-ca.conf -extensions client_cert -days 3650 -notext -in server/csr/client.csr -out server/client-certs/client.crt

4. Generate client PFX (if needed)

openssl pkcs12 -inkey server/private/client.key -in server/client-certs/client.crt -export -out server/client-certs/client.pfx -passout pass:

See also:

Download from CloudShell

OpenSSL - Initial Setup

March 10, 2025

OpenSSL Initial Setup

1. Create a folder structure

mkdir -p certs/{ca,mid-ca,server}/{private,certs,newcerts,crl,csr}

2. Change the permissions

chmod -v 700 certs/{ca,mid-ca,server}/private

3. Create index files

touch certs/{ca,mid-ca}/index

4. Set a serial number

openssl rand -hex 16 > certs/ca/serial
openssl rand -hex 16 > certs/mid-ca/serial

5. Copy and place the configuration files

ca.conf - mid-ca.conf

See also:

OpenSSL - Initial Setup

OpenSSL (1) - Root CA

OpenSSL (2) - Intermediate CA

OpenSSL (3) - Server Certificate

OpenSSL (3) - Server Certificate

February 9, 2025

Create a Server Certificate

1. Generate a key file (It can be one-off operation)

openssl genrsa -out server/private/server.key 2048

2. Generate a Certificate Signing Request (CSR)

openssl req -config mid-ca/mid-ca.conf -key server/private/server.key -new -sha256 -out server/csr/server.csr

e.g., CN=GCS-Server-Certificate-v0x

3. Sign the request (CSR) by Sub-CA

openssl ca -config mid-ca/mid-ca.conf -extensions server_cert -days 3650 -notext -in server/csr/server.csr -out server/certs/server.crt

4. Generate PFX with NO password

openssl pkcs12 -inkey server/private/server.key -in server/certs/server.crt -export -out server/certs/server.pfx -passout pass:

5. Result

OpenSSL (2) - Intermediate CA

February 9, 2025

Create a “Intermediate CA” certificate

1. Generate a key file for “Intermediate CA”

openssl genrsa -aes256 -out mid-ca/private/mid-ca.key 4096

2. Change the permission of mid-ca.key

chmod 400 mid-ca/private/mid-ca.key

3. Generate a Certificate Signing Request (CSR)

openssl req -config ca/ca.conf -new -key mid-ca/private/mid-ca.key -sha256 -out mid-ca/csr/mid-ca.csr

4. Sign the request file by Root-CA

openssl ca -config ca/ca.conf -extensions v3_mid_ca -days 3650 -notext -in mid-ca/csr/mid-ca.csr -out mid-ca/certs/mid-ca.crt

5. Change the permission of mid-ca.crt

chmod 444 mid-ca/certs/mid-ca.crt

6. Check a backup file created in newcerts dirctory

OpenSSL (1) - Root CA

February 9, 2025

Create a “Root CA” certificate

1. Generate a key file for “Root CA”

openssl genrsa –aes256 -out ca/private/ca.key 4096

2. Change the permission of ca.key

chmod 400 ca/private/ca.key

3. Check the content of ca.key

openssl rsa -noout -text -in ca/private/ca.key

4. Generate a certificate file for “Root CA”

openssl req -config ca/ca.conf -key ca/private/ca.key -new -x509 -days 3650 -sha256 -extensions v3_ca -out ca/certs/ca.crt

5. Change the permission of ca.crt

chmod 444 ca/certs/ca.crt 

6. Check the contents of ca.crt

openssl x509 -noout -text -in ca/certs/ca.crt

See also:

OpenSSL - Initial Setup