undefined | Better HN

0 pointsKronisLV1y ago0 comments

I've done that in the past, even for securing the admin pages of some software (there was once an issue where the admin page auth could be bypassed, this essentially adds another layer). With TLS it's okay for getting something up and running quickly.

Of course, for the things that matter a bit more, you can also run your own CA and do mTLS, even without any of the other fancy cloud services.

0 comments

jazzyjackson1y ago

After coming across a brief tutorial of mTLS in this tool for locking down access to my family photo sharing [0] I have bounced around the internet following various guides but haven't ended up with a pfx file that I can install in a browser. Can you recommend any resource to understand which keys sign what, and what a client certificate is verified against?

The guides I find often contain the openssl incantations with little explanation so I feel a bit like stumbling through the dark. I realize how much I've taken stacktraces for granted when this auth stuff is very "do or do not, there is no error"

[0] https://github.com/alangrainger/immich-public-proxy/blob/mai...

KronisLVOP1y ago

Honestly, the most approachable way will be to use something like Keystore Explorer: https://keystore-explorer.org/

Alternatively, this guide focuses on Apache2 configuration but also goes through the certs https://www.openlogic.com/blog/mutual-authentication-using-a... (it’s a little dated though)

Here’s also something a bit more recent for Nginx https://darshit.dev/posts/two-way-ssl-nginx/

j / k navigate · click thread line to collapse