Validate Client certificate SDN fields (CN, OU, O, etc..) at Nginx

Francis Daly francis at
Thu Nov 27 08:10:07 UTC 2014

On Wed, Nov 26, 2014 at 11:24:45AM -0500, sandeepkolla99 wrote:

Hi there,

> I'm able to verify client certificate successfully. Now, additionally I want
> perform the following three validations on client certificate 

You have $ssl_client_s_dn.

If you want to stay purely in nginx.conf, can you use "map" or another
regex match to extract the parts that you want into whatever variables
you want?

If you intend to use some backend processor (proxy_pass, fastcgi_pass),
then potentially you could send the variables or the certificate there
for validation.

Of you could use one of the embedded languages to access the same

I am not aware that stock nginx auto-creates extra variables beyond those
which are in the documentation -- if you want more, you do it yourself.

> I'm trying to find the nginx configuration statements to implement these
> validations. Please let me know if I need to elaborate this further.

Use "if" to compare (bits of) $ssl_client_s_dn with the thing you want,
and act accordingly.

Francis Daly        francis at

More information about the nginx mailing list