In cases where an application makes use of microservices that are exposed to the public Internet, it is wise to secure access to those microservices.
Using SSL Client Certificates is a great way to restrict access to only authenticated clients. See this excelent post for a discussion and nginx setup information:
https://www.curry-software.com/en/blog/authenticate_and_encrypt_microservice_communication/
This repo provides scripts to initialise a simple certificate authority, with root and intermediate certificates; and another to sign a supplied key. Each script has a short configuration section at the top, that you will want to change to suit your needs.
The scripts make use of OpenSSL and have been tested on Ubuntu 176.04 only. They were developed using the commands described here:
https://jamielinux.com/docs/openssl-certificate-authority/
This repo will NOT implement any kind of best practices for public CAs, and you should only use it at your own risk.
First, set up your CA by executing build.sh. Follow the prompts and after a
successful run, you will have a directory named ca with a root and intermediate
keys and certificates.
You may override the following variables to customise your CA:
ORGANISATION_DOMAINThe domain name of your organisation, e.g.example.comOUTPUT_DIRThe directory in which thecaoutput directory will be createdCOUNTRY_CODEThe two-letter country code in which your orrganisation resides, e.g.USSTATE_NAMEThe name of the state in which your orrganisation resides, e.g.WALOCALITY_NAMEThe name of the city in which your orrganisation resides, e.g.PerthEMAIL_ADDRESSThe email address that should be used to contact you with questions about your CAROOT_KEY_PASSWORDYou can set this instead of entering the passphrase every time your root key is usedINTERMEDIATE_KEY_PASSWORDYou can set this instead of entering the passphrase every time your intermediate key is usedROOT_PKI_NAMEThis will form part of the common name of root certificate. INTERMEDIATE_PKI_NAME=${INTERMEDIATE_PKI_NAME:-$PKI_NAME}
You can use the ca-config.sh script to provide an easy way to populate the required values - simply run source ca-config.sh in the shell
you are using to run the other scripts.
Generate a key:
openssl genrsa -aes256 -out client.key.pem 2048You might want to remove the passphrase from this key, or alternatively you can supply the passphrase via CLIENT_KEY_PASSWORD environment variable. This command will remove the passphrase from your key:
openssl rsa -in ./client.key.pem -out ./client-nopass.key.pemGenerate the certificate by executing generate_client_cert.sh. Pass your key filename as parameter.
You may override the following variables to customise your certificate:
ORGANISATION_DOMAINThe domain name of your organisation, e.g.example.comORGANISATION_UNITThe (optional) name of your organisation unit, e.g.DatabaseOUTPUT_DIRThe directory in which thecaoutput directory will be createdCOUNTRY_CODEThe two-letter country code in which your orrganisation resides, e.g.USSTATE_NAMEThe name of the state in which your orrganisation resides, e.g.WALOCALITY_NAMEThe name of the city in which your orrganisation resides, e.g.PerthEMAIL_ADDRESSThe email address that should be used to contact you with questions about your certificateCOMMON_NAMEAllows you to customise the commmon name of the certificateCLIENT_KEY_PASSWORDYou can set this instead of entering the passphrase every time your key is usedINTERMEDIATE_KEY_PASSWORDYou can set this instead of entering the passphrase every time your intermediate key is usedCERTIFICATE_TYPEYou can set this toclient_certorserver_certsubject to your needs - defaults toclient_cert
The generated certificate can be found in the ca/intermediate/newcerts/ directory.
Revoke a certificate by executing generate_client_cert.sh. Pass your key filename as parameter.
You may override the following variables to customise your certificate:
OUTPUT_DIRThe directory in which thecaoutput directory will be createdINTERMEDIATE_KEY_PASSWORDYou can set this instead of entering the passphrase every time your intermediate key is used