OCSP stapling for client certificates

Maxim Dounin mdounin at mdounin.ru
Wed Aug 27 16:55:54 UTC 2014


On Wed, Aug 27, 2014 at 11:51:08AM -0500, Mohammad Dhedhi wrote:

> Hi,
> I was able to setup nignx with client certificate authentication and OCSP
> stapling. I however noticed that OCSP is used only for the nginx server ssl
> certificate.
> It does not use OCSP for validating client certificates to see if a client
> is using a revoked certificate or not. Is ssl_crl the only way to checked
> for revoked client certificates or can nginx be configured to use OCSP for
> client certificates ?

No, nginx doesn't support OCSP-based validation of client 
certificates, it only supports OCSP stapling.  If you want to 
check revocation of client certificates, the only available option 
is to use ssl_crl.

Maxim Dounin

More information about the nginx mailing list