My Video

https://youtu.be/8DWcMbgQSZg or https://video.hardlimit.com/w/6oSkB4tL1KbuqoxgDistqR

Prerequisites

(shown in the video but not described here)

• have a Linux server
• forward ports 80 and 443 of your Linux Server on your Router
• install Docker
• install Nginx Proxy Manager as a container
• set up and enable your host in Nginx Proxy Manager
• install GnuTLS certtool ( apt install gnutls-bin )

Creating root CA certificate

$ mkdir certs/
$ cd certs/

Generate root CA key

$ openssl ecparam -genkey -name secp256r1 | openssl ec -out ca.key

Create root CA certificate using generated key, will be valid for 10 years. It does not matter what you type in as an input.

$ openssl req -new -x509 -days 3650 -key ca.key -out ca.pem

Creating client certificates and bundles

Variables

• client name - unique name for your client (ex. Smartphone)
• client serial - unique client ID number (ex. 01), increment it with each client creation
• challenge password - password used when importing the client certificate, can't be longer than 20 bytes

Generate client key

$ openssl ecparam -genkey -name secp256r1 | openssl ec -out <client name>.key

Create client Certificate Signing Request (CSR)

$ openssl req -new -key <client name>.key -o <client name>.csr

When asked:

• Keep common name the same as <client name>.
• Provide a <challenge password>.
• Leave the optional company name empty.

Generate client Certificate by signing client CSR with CA root. It will be valid for one year.

$ openssl x509 -req -days 365 -in <client name>.csr -CA ca.pem -CAkey ca.key -set_serial <client serial> -out <client name>.crt

Export p12 bundle

$ certtool --load-privkey <client name>.key --load-certificate <client name>.crt --load-ca-certificate ca.pem --to-p12 --outder --outfile <client name>.p12 --p12-name "<client name>" --hash SHA1 --pkcs-cipher 3dec-pkcs12 --password <challenge password>

Repeat that for each client you want to create incrementing <client serial> by one.

Changing Nginx Proxy Manager configuration

Variables

• ca path - path to mounted ca.pem file in your container.

Mount certs/ca.pem in your Nginx Proxy Manager container under <ca path>.

In the web interface navigate to your Proxied Host, click Edit, then Advanced.

In Custom Nginx Configuration add:

ssl_client_certificate <ca path>;
ssl_verify_client on;

Make sure you have Force SSL option enabled for your Host.

And save.

That's it :)

References and Resources

• https://en.wikipedia.org/wiki/Mutual_authentication

• https://duckdns.org

• https://nginxproxymanager.com/guide/#hosting-your-home-network

• NginxProxyManager/nginx-proxy-manager#768

• https://gist.github.com/mtigas/952344

• https://gist.github.com/alexishida/607cca2e51ec356b1fe1909047ec70fd

• https://stackoverflow.com/questions/71872900/installing-pcks12-certificate-in-android-wrong-password-bug/73512646#73512646

• https://serverfault.com/questions/720438/nginx-starts-with-regex

• https://www.vecteezy.com/free-png/handshake-icon

• https://upload.wikimedia.org/wikipedia/en/thumb/4/49/Home_Assistant_logo_%282023%29.svg/120px-Home_Assistant_logo_%282023%29.svg.png

• https://www.pngkit.com/view/u2w7q8i1e6r5a9u2_certificate-medal-collection-comments-certificate-icon-svg/

• https://github.com/PapirusDevelopmentTeam/papirus-icon-theme