Add new, corporate friendly, SSL client certificate variables.

Maxim Dounin mdounin at
Mon Feb 20 13:20:27 UTC 2017


On Mon, Feb 20, 2017 at 10:20:07AM +0000, Dave Bevan wrote:

> # HG changeset patch
> # User Dave Bevan <dave.bevan at>
> # Date 1487584846 0
> #      Mon Feb 20 10:00:46 2017 +0000
> # Node ID 06bd70321e25e01574e406095ff5f21f56b571da
> # Parent  87cf6ddb41c216876d13cffa5e637a61b159362c
> Add new, corporate friendly, SSL client certificate variables.
> Introduce three new SSL variables:
>  * ssl_client_ms_upn (extracts Microsoft UserPrincipleName from client cert)
>  * ssl_client_email  (extracts email from client cert)

Implementations of these doesn't seem to take into account that 
there may be more than one such name in a certificate.

>  * ssl_client_s_cn   (extracts Subject Common Name from client cert)

There is $ssl_client_s_dn variable which contains CN.  If for some 
reason only the CN is needed, it can be extracted using map{}, see  And it may be a better 
solution to use the DN instead.

> These are particularly useful in corporate environments, and bring some parity
> with Apache facilities (particularly ms_upn extract).

I can't say this explains how these are "useful in corporate 
environments".  In particular, we've never seen any user requests 
about client certficate alternative names, neither email nor 
Microsoft-specific ones.

Maxim Dounin

More information about the nginx-devel mailing list