~~NOTOC~~
====== Szenario 9.1: mTLS Client-Authentifizierung ======
**Kategorie:** [[.:start|Authentifizierung]] \\
**Komplexität:** ⭐⭐⭐⭐ (Hoch) \\
**Voraussetzungen:** Client- und Server-Zertifikate \\
**Geschätzte Zeit:** 20-30 Minuten
----
===== Beschreibung =====
Dieses Szenario beschreibt die **Mutual TLS (mTLS) Authentifizierung**, bei der sowohl Server als auch Client sich gegenseitig mit Zertifikaten authentifizieren.
**Vorteile gegenüber Passwort-Authentifizierung:**
* **Stärker** - Kryptographisch basiert
* **Automatisierbar** - Keine Benutzerinteraktion
* **Revozierbar** - Zentrale Widerrufsmöglichkeit
* **Zero-Trust** - Jeder Request authentifiziert
----
===== Workflow =====
sequenceDiagram
participant Client
participant Server
Client->>Server: ClientHello
Server->>Client: ServerHello + ServerCert
Server->>Client: CertificateRequest
Client->>Server: ClientCert + CertificateVerify
Server->>Server: Client-Zertifikat validieren
Server->>Client: Finished
Client->>Server: Finished
Note over Client,Server: mTLS-Verbindung etabliert
----
===== Code-Beispiel: mTLS Server (ASP.NET Core) =====
using Microsoft.AspNetCore.Authentication.Certificate;
using Microsoft.AspNetCore.Server.Kestrel.Https;
var builder = WebApplication.CreateBuilder(args);
// Kestrel für mTLS konfigurieren
builder.WebHost.ConfigureKestrel(options =>
{
options.ConfigureHttpsDefaults(https =>
{
// Server-Zertifikat laden
https.ServerCertificate = new X509Certificate2(
"server.pfx", "ServerPassword!");
// Client-Zertifikat anfordern
https.ClientCertificateMode = ClientCertificateMode.RequireCertificate;
// Client-Zertifikat validieren
https.ClientCertificateValidation = (cert, chain, errors) =>
{
// Custom Validation
if (errors != SslPolicyErrors.None)
{
Console.WriteLine($"SSL Policy Errors: {errors}");
return false;
}
// Eigene CA prüfen
var trustedRoots = new X509Certificate2Collection();
trustedRoots.Add(new X509Certificate2("root-ca.crt"));
var customChain = new X509Chain();
customChain.ChainPolicy.CustomTrustStore.AddRange(trustedRoots);
customChain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
customChain.ChainPolicy.RevocationMode = X509RevocationMode.Online;
return customChain.Build(cert);
};
});
});
// Certificate Authentication hinzufügen
builder.Services.AddAuthentication(CertificateAuthenticationDefaults.AuthenticationScheme)
.AddCertificate(options =>
{
options.AllowedCertificateTypes = CertificateTypes.Chained;
options.RevocationMode = X509RevocationMode.Online;
options.Events = new CertificateAuthenticationEvents
{
OnCertificateValidated = context =>
{
// Claims aus Zertifikat extrahieren
var claims = new[]
{
new Claim(ClaimTypes.NameIdentifier, context.ClientCertificate.Subject),
new Claim(ClaimTypes.Name, context.ClientCertificate.GetNameInfo(X509NameType.SimpleName, false)),
new Claim("certificate_thumbprint", context.ClientCertificate.Thumbprint)
};
context.Principal = new ClaimsPrincipal(
new ClaimsIdentity(claims, context.Scheme.Name));
context.Success();
return Task.CompletedTask;
},
OnAuthenticationFailed = context =>
{
Console.WriteLine($"Auth failed: {context.Exception.Message}");
return Task.CompletedTask;
}
};
});
builder.Services.AddAuthorization();
var app = builder.Build();
app.UseAuthentication();
app.UseAuthorization();
app.MapGet("/api/protected", [Authorize] (HttpContext ctx) =>
{
var subject = ctx.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
return Results.Ok(new { message = "Authenticated", subject });
});
app.Run();
----
===== Code-Beispiel: mTLS Client (HttpClient) =====
using WvdS.Security.Cryptography.X509Certificates.Extensions.PQ;
using var ctx = PqCryptoContext.Initialize();
// Client-Zertifikat und Schlüssel laden
var clientCert = ctx.LoadCertificateWithPrivateKey(
"client.crt.pem",
"client.key.pem",
"ClientPassword!"
);
// HttpClientHandler mit Client-Zertifikat
var handler = new HttpClientHandler
{
ClientCertificateOptions = ClientCertificateOption.Manual,
ServerCertificateCustomValidationCallback = (message, cert, chain, errors) =>
{
// Server-Zertifikat validieren
if (errors != SslPolicyErrors.None)
{
Console.WriteLine($"Server certificate error: {errors}");
// In Produktion: return false;
}
return true;
}
};
// Client-Zertifikat hinzufügen
handler.ClientCertificates.Add(clientCert);
using var httpClient = new HttpClient(handler);
// Request senden
var response = await httpClient.GetAsync("https://api.example.com/api/protected");
if (response.IsSuccessStatusCode)
{
var content = await response.Content.ReadAsStringAsync();
Console.WriteLine($"Response: {content}");
}
else
{
Console.WriteLine($"Error: {response.StatusCode}");
}
----
===== Zertifikats-basierte Autorisierung =====
public class CertificateAuthorizationHandler : AuthorizationHandler
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
CertificateRequirement requirement)
{
// Zertifikat aus Principal holen
var thumbprint = context.User.FindFirst("certificate_thumbprint")?.Value;
var subject = context.User.FindFirst(ClaimTypes.NameIdentifier)?.Value;
if (string.IsNullOrEmpty(thumbprint))
{
return Task.CompletedTask;
}
// Prüfen ob Zertifikat autorisiert ist
if (requirement.AllowedThumbprints.Contains(thumbprint) ||
requirement.AllowedSubjectPatterns.Any(p => Regex.IsMatch(subject, p)))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
}
public class CertificateRequirement : IAuthorizationRequirement
{
public HashSet AllowedThumbprints { get; set; } = new();
public List AllowedSubjectPatterns { get; set; } = new();
}
// Registrierung
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("ServiceAccounts", policy =>
policy.Requirements.Add(new CertificateRequirement
{
AllowedSubjectPatterns = new List
{
@"^CN=.*\.svc\.cluster\.local$", // Kubernetes services
@"^CN=service-[a-z]+$" // Named services
}
}));
});
builder.Services.AddSingleton();
----
===== Nginx als mTLS Reverse Proxy =====
server {
listen 443 ssl;
server_name api.example.com;
# Server-Zertifikat
ssl_certificate /etc/nginx/ssl/server-chain.pem;
ssl_certificate_key /etc/nginx/ssl/server.key.pem;
# Client-Zertifikats-Authentifizierung
ssl_client_certificate /etc/nginx/ssl/ca-chain.pem;
ssl_verify_client on;
ssl_verify_depth 2;
# TLS 1.3
ssl_protocols TLSv1.3;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
location / {
# Client-Zertifikat-Info an Backend weitergeben
proxy_set_header X-Client-Cert $ssl_client_cert;
proxy_set_header X-Client-Verify $ssl_client_verify;
proxy_set_header X-Client-S-DN $ssl_client_s_dn;
proxy_pass http://backend:8080;
}
}
----
===== Branchenspezifische mTLS-Anforderungen =====
^ Branche ^ Zertifikatslaufzeit ^ Revocation ^ Besonderheit ^
| **Kubernetes** | 1 Jahr | CRL | SPIFFE/SPIRE |
| **Finanzsektor** | 90 Tage | OCSP | PCI-DSS compliant |
| **Healthcare** | 1 Jahr | CRL + OCSP | DiGAV-konform |
| **IoT/SCADA** | 5 Jahre | CRL | Offline-Fähigkeit |
----
===== Verwandte Szenarien =====
^ Beziehung ^ Szenario ^ Beschreibung ^
| **Voraussetzung** | [[de:int:pqcrypt:szenarien:zertifikate:client_cert|3.2 Client-Zertifikat]] | Client-Cert erstellen |
| **Verwandt** | [[.:smartcard_login|9.2 Smartcard Login]] | Hardware-Token |
| **Verwandt** | [[de:int:pqcrypt:szenarien:tls:mtls_deployment|10.3 mTLS Deployment]] | TLS-Konfiguration |
----
<< [[.:start|← Authentifizierung-Übersicht]] | [[de:int:pqcrypt:szenarien:start|↑ Szenarien]] | [[.:smartcard_login|9.2 Smartcard Login →]] >>
{{tag>szenario authentifizierung mtls client-zertifikat zero-trust}}
----
//Wolfgang van der Stille @ EMSR DATA d.o.o. - Post-Quantum Cryptography Professional//