How to load a TRUSTED Client CA

Maxim Dounin mdounin at
Sat Jan 7 23:11:22 UTC 2012


On Fri, Jan 06, 2012 at 10:12:20PM -0500, speedfirst wrote:

> I need to specify a CA file to "ssl_client_certificate" directive. This
> crt is generated by openssl x509 command with "-trustout" parameter, so
> starts with "----BEGIN TRUSTED CERTIFICATE-----", rather than common
> "-----BEGIN CERTIFICATE-----".
> Nginx will report error:
> PEM routines:PEM_read_bio:no start line
> Internally, nginx uses openssl's API "SSL_load_client_CA_file()" to load
> the cert and report this error.
> So it's a bug, expected or I mis-configure somewhere?

I suspect this is the result of the whole trust thing being 
experimental in OpenSSL.

OpenSSL's s_server sample server won't load such certificates as 
well.  It uses the same SSL_load_client_CA_file() function to 
handle -CAfile argument.  Note though that it won't complain as it 
lacks error checking after the call, you should explicitly test 
whether it was loaded by checking CA names list on connect.  On 
the other hand, "openssl verify" is able to handle such certs, so 
it's probably expected to work.  You may try asking OpenSSL's guys 
for details.

Easiest solution probably is to convert the cert to a normal one, 
something like this will do the trick:

$ openssl x509 -in trusted.cert.pem -clrtrust -out normal.cert.pem

Maxim Dounin

More information about the nginx mailing list