Client Certification Authentication and Certification Pinning

Hello People!

At the end of last year, I just started to work with Ruby and it’s being an amazing journey/challenge and I’m really enjoying it.

One of my most recent tasks was to create a secure architecture where our applications could communicate through REST. Of course, the first thing we did was to implement an OAuth strategy but we would like to add one more security layer between this communication, so, we decided to implement a Client Certification Authentication + Certification Pinning, and it is working smoothly, I was so proud of the result that I decided to turned it opensource and create this article talking a little bit about those strategies and their implementation so, let’s go!

What is a Client Certification Authentication?

So, it is a way to ensure that your server will only accept requests from known clients. Basically, the server will know the certificates (or only the CA) of the clients and will only allow the HTTPS connection if the client certificate sent matches with the certificates or CA that is trusted.

In our scenario, we are saying that my webserver (in our case Nginx) will only accept requests sent with the certificate issued from a trusted CA.

# mTLS block      
ssl_client_certificate /etc/nginx/certificates/client_ca.crt;
ssl_verify_client on;

What is a Certification Pinning?

In our case, we are using Certification Pinning to ensure that our client is receiving the HTTPS response from a known server. With that, we can cover the HTTPS request/response security and avoiding Man-in-the-Middle attacks (or making it harder to be done).

Ok Julio, but what are we pinning?

In this implementation, I’m using the certificate fingerprint and pinning only his base64. It is easier than loading the certificate file and converting to DER format to compare, we actually don’t need the server certificate public key, just his fingerprint.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store