ingress-nginx-helm/docs/examples/auth/client-certs/README.md

# Client Certificate Authentication

It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource.
Before getting started you must have the following Certificates Setup:

1. CA certificate and Key(Intermediate Certs need to be in CA)
2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)
3. Client Certificate(Signed by CA) and Key

For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication).

You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:

```bash
openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem
```

Then, you can concatenate them all in only one file, named 'ca.crt' as the following:

```bash
cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt
```

**Note:** Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5
for each certificate generated. Otherwise you will receive an error.

## Creating Certificate Secrets

There are many different ways of configuring your secrets to enable Client-Certificate
Authentication to work properly.

1. You can create a secret containing just the CA certificate and another
    Secret containing the Server Certificate which is Signed by the CA.

    ```bash
    kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt
    kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key
    ```

2. You can create a secret containing CA certificate along with the Server
    Certificate, that can be used for both TLS and Client Auth.

    ```bash
    kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt
    ```

Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.

## Setup Instructions

1. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.
2. Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.
3. Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.
Updates and extends client cert documentation (#2105) Updates and extends the documentation about enabling client certificate authentication. 2018-02-16 15:17:29 +00:00			`# Client Certificate Authentication`

Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			`It is possible to enable Client-Certificate Authentication by adding additional annotations to your Ingress Resource.`
			`Before getting started you must have the following Certificates Setup:`

			`1. CA certificate and Key(Intermediate Certs need to be in CA)`
Delete some extra words 2018-10-29 06:48:56 +00:00			`2. Server Certificate(Signed by CA) and Key (CN should be equal the hostname you will use)`
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			`3. Client Certificate(Signed by CA) and Key`

Fix CA certificate example docs 2019-04-08 12:35:34 +00:00			`For more details on the generation process, checkout the Prerequisite [docs](../../PREREQUISITES.md#client-certificate-authentication).`
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00
			`You can have as many certificates as you want. If they're in the binary DER format, you can convert them as the following:`
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00			```bash
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00			`openssl x509 -in certificate.der -inform der -out certificate.crt -outform pem`
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00			```
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00			`Then, you can concatenate them all in only one file, named 'ca.crt' as the following:`
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00			```bash
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00			`cat certificate1.crt certificate2.crt certificate3.crt >> ca.crt`
Update Certificate Generation Docs to not use MD5 Updates the TLS and CA certificate sections to use algorithms better than md5. Using md5 as a digest causes nginx to fail to load because it is not accepted by open ssl. Closes #3571 2018-12-18 03:51:56 +00:00			```

			`Note: Make sure that the Key Size is greater than 1024 and Hashing Algorithm(Digest) is something better than md5`
			`for each certificate generated. Otherwise you will receive an error.`

Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			`## Creating Certificate Secrets`

			`There are many different ways of configuring your secrets to enable Client-Certificate`
			`Authentication to work properly.`

			`1. You can create a secret containing just the CA certificate and another`
			`Secret containing the Server Certificate which is Signed by the CA.`
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			```bash
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00			`kubectl create secret generic ca-secret --from-file=ca.crt=ca.crt`
			`kubectl create secret generic tls-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key`
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			```

			`2. You can create a secret containing CA certificate along with the Server`
			`Certificate, that can be used for both TLS and Client Auth.`
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			```bash
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00			`kubectl create secret generic ca-secret --from-file=tls.crt=server.crt --from-file=tls.key=server.key --from-file=ca.crt=ca.crt`
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			```
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			`Note: The CA Certificate must contain the trusted certificate authority chain to verify client certificates.`
Fix CA certificate example docs 2019-04-08 12:35:34 +00:00
Add some extra detail to the client cert auth example Multiple people within my work organisation were caught out by the fact that the trusted client cert issuers must be given in a file named `ca.crt` and that other filenames will fail to work. This change makes it more clear to those who stumble across the documentation that this is a potential gotcha. 2018-10-09 21:10:56 +00:00			`## Setup Instructions`
Updates and extends client cert documentation (#2105) Updates and extends the documentation about enabling client certificate authentication. 2018-02-16 15:17:29 +00:00
Add Better Documentation for using AuthTLS (#3275) Enhances the documentation for enabling and using Mutual Authentication. 2018-10-22 19:15:28 +00:00			`1. Add the annotations as provided in the [ingress.yaml](ingress.yaml) example to your own ingress resources as required.`
			`2. Test by performing a curl against the Ingress Path without the Client Cert and expect a Status Code 400.`
			`3. Test by performing a curl against the Ingress Path with the Client Cert and expect a Status Code 200.`