Dynamic ssl certificate ? (wildcard+ multiple different certs)

Jonathan Matthews contact at jpluscplusm.com
Thu Jan 9 16:45:21 UTC 2014

On 9 January 2014 16:28, Larry <nginx-forum at nginx.us> wrote:
> I would like to be able to "load" the right cert according to the cookie set
> and request uri.
> A sort of dynamic setting.
> So, what is the workaround I could use to avoid creating one file per new
> (self-signed)certificate issued ?

Your problem is that, irrespective of Nginx's feelings about using a
variable in the ssl_certificate directive, what you're trying to
configure is a HTTP/SSL layering violation.

The information you want to use to choose the correct cert is
communicated inside the HTTP request (usually people ask about using
the Host header; you're asking here about cookies). But this
information is not available to the SSL libraries until /after/ the
SSL channel has been set up - which can't be done until a cert has
been selected. It's a catch-22 situation.

SNI /can/ help with this, as it transmits the host header in the clear
during SSL negotiation, but client support can prove limited (browsers
on XP, IIRC, don't support it). I'm not sure, but I don't believe SNI
communicates enough extra information (cookies and/or request paths)
for you to achieve what you want to here.

The usual suggestion for this situation is either to seperate out
sites, one per IP; or to look at wildcard certs or UCC/SaN certs.
You've mentioned self-signed certs, which suggests you may have some
control over the clients root CAs - is this the case? You could
perhaps automate UCC/SaN cert issuance based on your current whitelist
of unrevoked certs ...

tl;dr Buy some IPv4 space and use an IP per subdomain.


More information about the nginx mailing list