ssl_client_certificate set to a certificate chain?
任晓磊
julyclyde at gmail.com
Mon May 21 02:31:49 UTC 2012
Hi,
I fall into this situation: one root CA issued two intermediate CAs,
one for merchants and another for payment gateways. I set
ssl_client_certificate to intermediate CA of payment gateways, client
cannot verify itself. I guess it's because ssl_client_certificate is
not set to a self-signed root CA. So, I changed that parameter to the
root CA, it works.
But, theoretically another merchant could connect to my server with
it's certificate signed by merchants intermediate CA. How can I avoid
this? I set the parameter to a certificate chain of root CA and
payment gateways's intermediate CA, and tried openssl s_client
-connect server:8443 , openssl says:
---
Acceptable client certificate CA names
/CN=UP_ROOT_CA
/CN=UP_CA
I don't know the server would accept a certificate issued by
UP_ROOT_CA and UP_CA, or issued by UP_ROOT_CA or UP_CA.
--
Ren Xiaolei
More information about the nginx
mailing list