[PATCH] Add provision to fetch certificate chain from Nginx

CHHABRA Mandeep Singh mandeep-singh.chhabra at thalesgroup.com
Thu Dec 30 09:35:26 UTC 2021

Hi Maxim, 

Thanks for giving time to this.

As far as my understanding goes, the intermediate CA certificates are not required to be known to the server.
It is only the trust anchor(the root CA certificate) which is required to be known and trusted on the sever.
And in our case also, the root CA certificate is trusted for the web. 

I have tried to give a brief of the problem in the following section.

We have a product which supports multi-tenancy and uses Nginx as a reverse proxy.
There are different isolated domains which share the same trust anchor. But there could be difference
in the client certificate chain in different domains. There is a need to do some extra validations 
based on the CAs in the chain. To be more precise, we have option to specify if a CA could be used to
do client or user authentication. There is a possibility that in one domain, a CA is enabled for client authentication and in another , the same CA is disabled.

So, we need a way to get the certificate chain from Nginx, to do these extra validations, apart from what Nginx does i.e. checking if the chain could be verified.
But there is no way to get the chain, today.

This could be a common problem applicable to multiple use cases, depending upon how a product wants its CA to behave.
And we think, it could be a good to have feature in Nginx.   

Please let me know if I should be specify more details on the problem.


-----Original Message-----
From: nginx-devel <nginx-devel-bounces at nginx.org> On Behalf Of Maxim Dounin
Sent: Tuesday, December 28, 2021 9:28 PM
To: nginx-devel at nginx.org
Subject: Re: [PATCH] Add provision to fetch certificate chain from Nginx


On Tue, Dec 28, 2021 at 11:56:50AM +0000, CHHABRA Mandeep Singh wrote:

> # HG changeset patch
> # User Mandeep Singh Chhabra <mandeep-singh.chhabra at thalesgroup.com>
> # Date 1640691269 -19800
> #      Tue Dec 28 17:04:29 2021 +0530
> # Node ID 9baaef976ac80f05107b60801ebe6559cdb2cbc6
> # Parent  b002ad258f1d70924dc13d8f4bc0cc44362f0d0a
> Add provision to fetch certificate chain from Nginx
> The change adds a new variable ('ssl_client_cert_chain') to the 
> existing set of variables. It is being part of the http's SSL module. 
> With this, the middleware can fetch the certificate chain from Nginx 
> using the variable mentioned. The variable returns a verified chain of 
> certificates.
> If the trust anchor is a root certificate (self signed) which has 
> issued an intermediate certificate and the client certificate is 
> issued by the intermediate certificate. The variable 
> ('ssl_client_cert_chain') will return three certificates (rootCert -> 
> intermediateCert -> clientCert)

Thanks for the patch.

You may want to be more specific about which problem you are trying to solve.  In particular, all root and intermediate certificates are expected to be known on the server.  If they aren't for some reason, it might be a good idea to clarify why they aren't known or reconsider particular configuration.


> +    p = s->data;
> +
> +    for (i = 0; i < cert_chain.len - 1; i++) {
> +        *p++ = cert_chain.data[i];
> +        if (cert_chain.data[i] == LF) {
> +            *p++ = '\t';
> +        }

Just a side note: certainly we are not going to introduce new variables using this syntax.

Also it might be a good idea to fix various style issues in the patch, but probably it make sense to resolve the "why it should be needed" question first.


Maxim Dounin
nginx-devel mailing list
nginx-devel at nginx.org

More information about the nginx-devel mailing list