How to load a TRUSTED Client CA
mdounin at mdounin.ru
Sat Jan 7 23:11:22 UTC 2012
On Fri, Jan 06, 2012 at 10:12:20PM -0500, speedfirst wrote:
> I need to specify a CA file to "ssl_client_certificate" directive. This
> crt is generated by openssl x509 command with "-trustout" parameter, so
> starts with "----BEGIN TRUSTED CERTIFICATE-----", rather than common
> "-----BEGIN CERTIFICATE-----".
> Nginx will report error:
> PEM routines:PEM_read_bio:no start line
> Internally, nginx uses openssl's API "SSL_load_client_CA_file()" to load
> the cert and report this error.
> So it's a bug, expected or I mis-configure somewhere?
I suspect this is the result of the whole trust thing being
experimental in OpenSSL.
OpenSSL's s_server sample server won't load such certificates as
well. It uses the same SSL_load_client_CA_file() function to
handle -CAfile argument. Note though that it won't complain as it
lacks error checking after the call, you should explicitly test
whether it was loaded by checking CA names list on connect. On
the other hand, "openssl verify" is able to handle such certs, so
it's probably expected to work. You may try asking OpenSSL's guys
Easiest solution probably is to convert the cert to a normal one,
something like this will do the trick:
$ openssl x509 -in trusted.cert.pem -clrtrust -out normal.cert.pem
More information about the nginx