Skip to content

Mutual authentication

Mutual authentication or two-way authentication (sometimes written as 2WAY authentication) refers to two parties authenticating each other at the same time. In technology terms, it refers to a client or user authenticating themselves to a server and that server authenticating itself to the user in such a way that both parties are assured of the others' identity. When describing online authentication processes, mutual authentication is often referred to as website-to-user authentication, or site-to-user authentication. Typically, this is done for a client process and a server process without user interaction.

Mutual TLS authentication

(Mutual SSL; mTLS)

Gen scripts

redis#TLS Setting 항목 참조. 

#!/usr/bin/env bash

ROOT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" || exit; pwd)

if ! command -v openssl &> /dev/null; then
    opm-println-error "Not found openssl command"
    exit 1
fi

DAYS=365
KEYSIZE=4096
DHSIZE=2048
CERT_DIR="$ROOT_DIR/cert"

CA_PRIVATE_FILE="$CERT_DIR/ca.key"
CA_CERTIFICATE_FILE="$CERT_DIR/ca.crt"
OPENSSL_CNF_FILE="$CERT_DIR/openssl.cnf"

SERVER_PRIVATE_FILE="$CERT_DIR/server.key"
SERVER_REQUEST_FILE="$CERT_DIR/server.csr"
SERVER_CERTIFICATE_FILE="$CERT_DIR/server.crt"
SERVER_SERIAL_FILE="$CERT_DIR/server.srl"

CLIENT_PRIVATE_FILE="$CERT_DIR/client.key"
CLIENT_REQUEST_FILE="$CERT_DIR/client.csr"
CLIENT_CERTIFICATE_FILE="$CERT_DIR/client.crt"
CLIENT_SERIAL_FILE="$CERT_DIR/client.srl"

DH_FILE="$CERT_DIR/params.dh"

EXTENSION_SERVER_CERT=server_cert
EXTENSION_CLIENT_CERT=client_cert

OPENSSL_CNF="
[ $EXTENSION_SERVER_CERT ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = server

[ $EXTENSION_CLIENT_CERT ]
keyUsage = digitalSignature, keyEncipherment
nsCertType = client
"

if [[ ! -d "$CERT_DIR" ]]; then
    mkdir -vp "$CERT_DIR"
fi

function generate_ca_cert
{
    if [[ ! -f "$CA_PRIVATE_FILE" ]]; then
        echo "Generate CA RSA Private key file: $CA_PRIVATE_FILE"
        openssl genrsa -out "$CA_PRIVATE_FILE" "$KEYSIZE"
    fi

    if [[ ! -f "$CA_CERTIFICATE_FILE" ]]; then
        echo "Generate CA Certificate file: $CA_PRIVATE_FILE"
        openssl req -x509 -new -nodes -sha256 \
            -key "$CA_PRIVATE_FILE" \
            -days "$DAYS" \
            -subj '/O=Redis/CN=CertificateAuthority' \
            -out "$CA_CERTIFICATE_FILE"
    fi
}

function generate_openssl_cnf
{
    if [[ ! -f "$OPENSSL_CNF_FILE" ]]; then
        echo "Generate openssl ext file: $OPENSSL_CNF_FILE"
        echo "$OPENSSL_CNF" > "$OPENSSL_CNF_FILE"
    fi
}

function generate_server_cert
{
    if [[ ! -f "$SERVER_PRIVATE_FILE" ]]; then
        echo "Generate server RSA private key file: $SERVER_PRIVATE_FILE"
        openssl genrsa -out "$SERVER_PRIVATE_FILE" "$KEYSIZE"
    fi

    if [[ ! -f "$SERVER_REQUEST_FILE" ]]; then
        echo "Generate server CSR file: $SERVER_REQUEST_FILE"
        openssl req -new -sha256 \
            -subj "/O=Redis/CN=Server" \
            -key "$SERVER_PRIVATE_FILE" \
            -out "$SERVER_REQUEST_FILE"
    fi

    if [[ ! -f "$SERVER_CERTIFICATE_FILE" ]]; then
        echo "Sign the server certificate file: $SERVER_CERTIFICATE_FILE"
        openssl x509 -req -sha256 \
            -CA "$CA_CERTIFICATE_FILE" \
            -CAkey "$CA_PRIVATE_FILE" \
            -CAserial "$SERVER_SERIAL_FILE" \
            -CAcreateserial \
            -extfile "$OPENSSL_CNF_FILE" \
            -extensions "$EXTENSION_SERVER_CERT" \
            -days "$DAYS" \
            -in "$SERVER_REQUEST_FILE" \
            -out "$SERVER_CERTIFICATE_FILE"
    fi
}

function generate_client_cert
{
    if [[ ! -f "$CLIENT_PRIVATE_FILE" ]]; then
        echo "Generate client RSA private key file: $CLIENT_PRIVATE_FILE"
        openssl genrsa -out "$CLIENT_PRIVATE_FILE" "$KEYSIZE"
    fi

    if [[ ! -f "$CLIENT_REQUEST_FILE" ]]; then
        echo "Generate client CSR file: $CLIENT_REQUEST_FILE"
        openssl req -new -sha256 \
            -subj "/O=Redis/CN=Client" \
            -key "$CLIENT_PRIVATE_FILE" \
            -out "$CLIENT_REQUEST_FILE"
    fi

    if [[ ! -f "$CLIENT_CERTIFICATE_FILE" ]]; then
        echo "Sign the client certificate file: $CLIENT_CERTIFICATE_FILE"
        openssl x509 -req -sha256 \
            -CA "$CA_CERTIFICATE_FILE" \
            -CAkey "$CA_PRIVATE_FILE" \
            -CAserial "$CLIENT_SERIAL_FILE" \
            -CAcreateserial \
            -extfile "$OPENSSL_CNF_FILE" \
            -extensions "$EXTENSION_CLIENT_CERT" \
            -days "$DAYS" \
            -in "$CLIENT_REQUEST_FILE" \
            -out "$CLIENT_CERTIFICATE_FILE"
    fi
}

function generate_dh_params
{
    if [[ ! -f "$DH_FILE" ]]; then
        echo "Generate DH params file: $DH_FILE"
        openssl dhparam -out "$DH_FILE" "$DHSIZE" 2> /dev/null
    fi
}

generate_ca_cert
generate_openssl_cnf
generate_server_cert
generate_client_cert
generate_dh_params

See also

Favorite site

References

  1. An_Introduction_to_Mutual_SSL_Authentication_-_CodeProject.pdf