Exact Client public certificate authentication using Nginx

Maxim Dounin mdounin at mdounin.ru
Wed Apr 3 10:53:06 UTC 2013


On Wed, Apr 03, 2013 at 06:31:49AM -0400, Sekhar wrote:

> Hi,
> I am relatevely new to Nginx and below is what i need to achieve.
> I have an Nginx proxy server with following key and certicate.
> 	->Nginx_server_private_key.pem
> 	->Nginx_server_public_cert.cer(Signed By Verisign CA)
> I have 3 clients who should be able to access the Nginx server based on
> their certificates. All their certificates are signed by verisign CA.
> Client 1 has following key certificate pair
> 	->Nginx_client1_private_key.pem
> 	->Nginx_client1_public_cert.cer (Signed By verisign CA)
> Similarly client 2
> 	->Nginx_client2_private_key.pem
> 	->Nginx_client2_public_cert.cer (Signed by Verisign CA)
> Similarly client 3
> 	->Nginx_client3_private_key.pem
> 	->Nginx_client3_public_cert.cer (Signed by Verisign CA)
> The server and clients will exchange their public certificates for mutual
> authentication.
> During SSL handshake the Nginx server only validates the CA of the incoming
> public certificate and if the CA is trusted, it allowes the connection. By
> this logic any certificate signed by the same verisign CA will be able to
> access my application.
> Question:
> 1. Can I configure Nginx to match the exact public certificate insted of
> verifying the signing CA? 

No.  Client certificate is considered to be good as long as it is 
verified successfully up to a trusted root certificate.

What you can do, however, is to configure nginx to only allow 
access for a particular DN's, e.g. by using

    if ($ssl_client_s_dn != "some-good-DN") {
        return 403;

More complex checks should probably use map, see 

Maxim Dounin

More information about the nginx mailing list