Support for ssl_certificate_dir ?

Maxim Dounin mdounin at mdounin.ru
Mon Oct 13 20:17:26 UTC 2014


Hello!

On Mon, Oct 13, 2014 at 12:41:20PM -0700, Kunal Pariani wrote:

> 444 on this one too ?
> 
> Thanks
> -Kunal
> 
> On Wed, Oct 8, 2014 at 2:31 PM, Kunal Pariani <kpariani at zimbra.com> wrote:
> 
> > Hello,
> > Currently nginx doesn't have the capability to define the directory
> > containing all the ssl certificates. This requires all the chained
> > certificates need to be munched together in the right order in a single
> > file and specified using the ssl_certificate directive (
> > http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate).
> > Any plans of adding the option for of having a 'ssl_certicate_dir' maybe
> > which would have the path where all the cert files reside ? Also the
> > ordering of the certs will be done by the proxy itself instead of being
> > done manually ?

Short answer: no plans.

Long answer:

The ssl_trusted_certificate directive can be used to specify a PEM 
file with certs to be loaded into a certificate store.  These 
certs will be used by OpenSSL to complete the certificate chain 
automatically.

This OpenSSL behaviour is believed to cause more harm than good 
though, because a) it can add unneed certs to the chain in many 
cases, and b) the chain is built on runtime, and hence consumes 
CPU.

And there are no plans to add support of directories to 
ssl_trusted_certificate, as well to other similar directives.

-- 
Maxim Dounin
http://nginx.org/



More information about the nginx-devel mailing list