this may be a dumb ssl question, but here goes...

AJ Weber aweber at comcast.net
Thu Oct 11 15:35:16 UTC 2012


I didn't double-check yet, but it looks like if I set this up, and the 
client does not have a client-side certificate, nginx is returning 
either a 400 (or more likely a 403)?  Is there any way I can be entirely 
"rude" and re-map the return code if you do not have a client 
certificate to 444?

Thanks again,
AJ

On 10/10/2012 6:51 PM, Maxim Dounin wrote:
> Hello!
>
> On Wed, Oct 10, 2012 at 05:16:12PM -0400, AJ Weber wrote:
>
>> I think I might have found my answer to this.
>>
>> I can generate my own (or use any different) CA and add that in
>> ssl_client_certificate<path>;
>> And then set ssl_verify_client on;
>>
>> This appears to work in initial testing.  So my follow-up is:
>> 1) Does this sound like the way to make my original question work?
> Yes.
>
>> 2) Can I revoke certificates, and will nginx check a revocation list
>> of some kind?
> http://nginx.org/r/ssl_crl
>
>> Thanks again,
>> AJ
>>
>>
>> On 10/10/2012 2:14 PM, AJ Weber wrote:
>>> Can I install and configure nginx to use a "public"/global CA's
>>> SSL Certificate like Verisign, AND force (require) the use of
>>> client SSL certificates, AND allow those
>>> client/browser-certificates to be from a different CA/root?  For
>>> example, openca or some self-signed setup that I use to just
>>> distribute client certificates to my registered users?
>>>
>>> Let me know if I am not asking the question correctly.
>>>
>>> Thanks,
>>> AJ
>>>
>> _______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx



More information about the nginx mailing list