Whitelisting Client Side Certificates

David Birdsong david.birdsong at gmail.com
Wed Feb 26 17:58:00 UTC 2014

Having just gone through learning about this over the last few days, here's
what I learned. Take it w/ a grain of salt.

There are 2 ways I'm aware of.

1. turn on strict client verify and limit the ca list that the server knows
about. this will cause the server to have a limited view of what certs are
valid in the world and cause it to reject any client who's cert doesn't
chain back to your ca list. I think you set that here:

2. match subject name and subjectAlternatename to a whitelist. I don't know
if nginx can do this part natively. Haproxy can:

...from skimming, the way you'd do #2 is to use
set a proxy header from: $ssl_client_cert and have your backend parse
and accept/deny names found in that pem structure

On Wed, Feb 26, 2014 at 9:37 AM, paddy3883 <nginx-forum at nginx.us> wrote:

> I'm currently working on POC for my company which is looking to use NGINX
> to
> validate API Requests using Client Side Certificates. Presently we have it
> setup so we are self signing/generating these certificates on the local
> machine and are able to use these successfully in our tests. We are also
> able to use the revocation list to disable generated certificates.
> Moving forward it is possible we will be using an external CA to generate
> these certificates and we are trying to determine if this is a way to
> 'whitelist' certificates so only those generated ones which we have
> visibility of will be verified, rather than a 'blacklisting' approach to
> block those which are revoked? i.e. Given a client certificate generated by
> a external CA how can we established this in a trusted list of certs to
> verify?
> Apologies if this question is lacking technical details/knowledge, this is
> my first hands on experience with SSL.
> Posted at Nginx Forum:
> http://forum.nginx.org/read.php?2,247969,247969#msg-247969
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20140226/cfdbc17a/attachment.html>

More information about the nginx mailing list