Validating client certificate against CRL

Maxim Dounin mdounin at mdounin.ru
Thu Dec 11 19:33:18 UTC 2014


Hello!

On Thu, Dec 11, 2014 at 02:03:35PM -0500, sandeepkolla99 wrote:

> Hi,
>    My Nginx is setup for Mutual SSL and it works well for the below nginx
> configuration. 
>    Hierarchy of certificates is   RootCA
>     ********************************   |
>     ********************************  V
>     ************************** IntermediateCA
>     ********************************  |
>     ******************************** V
>     ***********************ClientCert     ServerCert
>                         
>         listen       80;  
>         listen 443 ssl;
>         server_name localhost;
> 
>        ssl_certificate serverCert.pem;
>        ssl_certificate_key serverKey.key;
>        ssl_client_certificate RootCA.pem;   
>        ssl_verify_client on;
>        ssl_verify_depth 2;
> 
> But If I add 'ssl_crl RootCACRL.pem' or 'ssl_crl IntermediateCRL.pem' to
> above configuration, I see the below error. By the way, RootCACRL.pem and
> IntermediateCRL.pem files doesn't have any revoked certificates.
> 
> 400 Bad Request
> 
> The SSL certificate error
> 
> nginx/1.6.2

The "ssl_crl" should contain CRLs for all certificates in the 
chain, that is, both RootCA and IntermediateCA in your case.  
There should be a message in the error log (at "info" level) 
explaining what's wrong.

Just combining IntermediateCRL.pem and RootCACRL.pem into a single 
file and using it in the "ssl_crl" directive should fix this.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx mailing list