0

I have set up a webserver with several self-hosted apps for my personal use. In order to make sure that I am the only person who can connect to my server, I have generated client authentication certificates on my server and transferred them to my local computer. There, I installed the .pfx certificate I downloaded into Firefox and Chrome. On the server, side, I configured nginx with ssl_verify_client on;.

For the purely browser-based webapps, this is working great. However some of my apps have desktop clients, and they do not have a means of adding certificates.

Is there some way to install a client authentication certificate system-wide in Linux?

I was thinking maybe it would be possible to somehow insert the client certificate into https requests outgoing from my PC to my server's IP, might that work, and how would I do that?

Improve this question
6
  • You can't alter HTTPS (more generally SSL/TLS) outside the endpoints -- that's the whole point of a secure protocol -- except with a (visible) interceptor which acts like the server to the (real) client and like the client to the (real) server; IF an app uses the system truststore you can add your own CA/root cert for the interceptor to that system truststore, otherwise this probably doesn't work. For Java apps IF they use the default SSLSocketFactory, or middleware like URLConnection which does so, you can give that javax.net.ssl.keyStore* sysprops to do client auth per the doc.
    – dave_thompson_085
    Commented Jan 28, 2021 at 3:17
  • 1
    Is it possible to set up some sort of virtual proxy type thing on my local machine which decrypts, adds the required header to everything before re-encrypting and passing to the ultimate destination?
    – Stonecraft
    Commented Jan 28, 2021 at 3:23
  • Yes, there are proxies that can accept an incoming http or https connection, and make their own https connection with a client certificate to your server. This is also called "man-in-the-middle attack", so using this to make something more secure is a somewhat interesting idea. Depending on what the apps do in detail (you didn't tell us), it might work, or not.
    – dirkt
    Commented Jan 28, 2021 at 6:56
  • @dirkt the desktop apps sync to a host via http. Unfortunately some of the desktop apps do not have a way to include client certificates. I was thinking that a proxy could be used to add the client certificate into the headers of all http requests.
    – Stonecraft
    Commented Jan 28, 2021 at 7:14
  • Yes, I understood what you want to do. And that will work in the sense of "now the desktop apps can connect to the server". It may not necessarily work in the sense of "now everything is more secure", because https is really built to ensure end-to-end validation, and you are breaking this principle by using a proxy. And "the desktop apps sync to a host" is too vague to say anything. You'd have to look closely at what they are doing. Which cannot be done in a Q&A.
    – dirkt
    Commented Jan 28, 2021 at 7:25

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .