Load SSL certificates from system's store

Michal Cichra michal at 3scale.net
Wed Sep 23 17:58:19 UTC 2015


Hi there,

There is very basic patch to nginx (which is the same with 1.9.5) to allow loading all SSL certificates from CApath.

When doing proxy with ssl verification, nginx needs ssl certificates to be loaded through file.
That causes trouble for dynamic proxies, that can proxy to any host. Workaround would be pack all certificates from CApath and load them to nginx.
However, that is not very cross platform as on OSX it can use keychain.
I understand there are some drawbacks (like memory usage), so I’d make it configurable with off by default.

See the gist https://gist.github.com/mikz/4dae10a0ef94de7c8139
and discussion on openresty mailing list: https://groups.google.com/forum/#!searchin/openresty-en/ssl/openresty-en/SuqORBK9ys0/Yz0ypcRyV4UJ

Thanks for feedback
Michal Cichra


More information about the nginx-devel mailing list