What is client certificate authentication?
Client certificate authentication means that a client device sends a particular certificate when they connect to a certain site over SSL/TLS. In this example, HAProxy verifies the client’s identity based on the certificate. When a client presents a certificate, HAProxy can verify whether it was signed by a trusted CA. If not, HAProxy can then deny the request.
Why would I want to use this?
- If you have a service or web application that you’d like to be accessible from the internet, but can’t secure it natively (for example, the webapp doesn’t have any form of authentication capability). You may not wish to implement PHP and nginx to add 2FA and a login page.
- If you want to carry out authentication in a way that is invisible (mostly) to the end user.
- If you think certificate-based authentication is better than username/password authentication,
How do I implement this?
WarningGood question. There are several steps and moving parts to get this working. The areas in PFSense we’re going to be configuring are:
This guide assumes you have already set up SSL termination/offloading in a PFSense HAProxy frontend configuration.
- System > Certificates
- Authorities
- Certificates
- Revocation
- Services > HAProxy > Frontend
- Access Control lists
- Actions
- SSL Offloading - client certificates
Lets start by setting up our Certificate Authority and generating some certificates!
That's all for this entry! Feel free to read the Previous/Next blog post in the series below: