Setting Up Client SSL Certificate Authentication for Rocket.Chat
    • Dark
    • PDF

    Setting Up Client SSL Certificate Authentication for Rocket.Chat

    • Dark
    • PDF

    Article summary

    You may want to add an extra layer of your security to your app. After installing Rocket.Chat following our deploy with Docker & Docker Compose guide, here are the next steps to follow:

    Install Nginx

    sudo apt install -y nginx

    Install Certbot

    Install Certbot to manage SSL certificates from LetsEncrypt

    sudo snap install --classic certbot
    sudo certbot --nginx

    You’ll be asked to provide a valid email and the domain set.

    Generate certificate authority (CA) certificates

    Generate a key for your CA:

    openssl genrsa -des3 -out ca.key 4096

    Generate a certificate for your CA:

    openssl req -new -x509 -days 365 -key ca.key -out ca.crt
    • You can omit the email.

    • Avoid using a common name for the certificate.

    • When you renew the certificate, you'll want the country, state, locality, and organization to match what you've input.

    Run the same command to renew your certificate. To remember the options you chose, run the following command:

    openssl x509 -in ca.crt -noout -text

    Move CA cert

    Move the CA cert to /etc/ssl/private/client-cert-ca.crt directory.

    Update Nginx config

    Add CA cert, turn on client SSL authentication and add location block.

    ssl_client_certificate /etc/ssl/private/client-cert-ca.crt;
    ssl_verify_client optional;
    location / {
       if ($ssl_client_verify != SUCCESS) {
         return 403;
        proxy_pass http://localhost:3000;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
        proxy_set_header X-Nginx-Proxy true;
        proxy_redirect off;

    Issue client SSL certificates for users

    You can have your users perform most of these steps if you want. But the following are the steps needed to create a certificate to present as client authentication.

    Generate key for user

    openssl genrsa -des3 -out user.key 4096

    Generate a CSR

    openssl req -new -key user.key -out user.csr

    Answer all of the questions, making sure to include your email address and Common Name (CN). The CSR must be sent to the administrator (or to you if you are handling this on behalf of the user).

    Sign CSR with CA

    As the admin, take the CSR given to you or generated by you and sign the CSR and create a valid certificate:

    openssl x509 -req -days 365 -in user.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out user.crt

    You’ll want to increment the serial number with each signing. Once the certificate expires, a new CSR doesn’t need to be recreated; the same one can be signed, which will create a new certificate tied to that public key.

    Return certificate

    The signed certificate (user.crt) can now be sent back to the user along with the CA cert(ca.crt).

    To be able to use in browsers and mobile generate a pkcs #12 using the user cert and key along with the CA:

    openssl pkcs12 -export -out user.pfx -inkey user.key -in user.crt -certfile ca.crt

    Was this article helpful?


    Eddy AI, facilitating knowledge discovery through conversational intelligence