[PATCH] Add provision to fetch certificate chain from Nginx
mdounin at mdounin.ru
Tue Jan 11 20:41:21 UTC 2022
On Thu, Dec 30, 2021 at 09:35:26AM +0000, CHHABRA Mandeep Singh wrote:
> As far as my understanding goes, the intermediate CA
> certificates are not required to be known to the server.
> It is only the trust anchor(the root CA certificate) which is
> required to be known and trusted on the sever.
> And in our case also, the root CA certificate is trusted for the
Sure, intermediate certificates are not required to be known by
the server and can be provided by the client in the extra
certificates during SSL/TLS handshake.
Such configurations are believed to be extremely rare though: in
most cases intermediate certificates are well known and can be
easily configured on the server side, and this saves extra
configuration on clients.
Further, it is not really possible to properly retrieve such
client-provided intermediate certificates after the initial
handshake: these certificates are not saved to the session data
and therefore not available after session reuse, see
Hence the original question about the problem you trying to solve.
> I have tried to give a brief of the problem in the following
> We have a product which supports multi-tenancy and uses Nginx as
> a reverse proxy.
> There are different isolated domains which share the same trust
> anchor. But there could be difference
> in the client certificate chain in different domains. There is a
> need to do some extra validations based on the CAs in the chain.
> To be more precise, we have option to specify if a CA could be
> used to
> do client or user authentication. There is a possibility that in
> one domain, a CA is enabled for client authentication and in
> another , the same CA is disabled.
> So, we need a way to get the certificate chain from Nginx, to do
> these extra validations, apart from what Nginx does i.e.
> checking if the chain could be verified.
> But there is no way to get the chain, today.
Not sure I've understood your description correctly, but from what
I understood it looks like you are not trying to retrieve
client-provided intermediate certificates, but instead trying to
do additional checking on the chain which contains client-provided
end certificate and the chain constructed by nginx from the
intermediate certificates known on the server during certificate
verification. That is, you have something like:
- Root CA, Intermediate1 CA, Intermediate2 CA - all known on the
- Client certs signed by Intermediate1 CA;
- Client certs signed by Intermediate2 CA.
And you want to allow access only to certificates signed by
Intermediate1 CA in some cases, and only certificates signed by
Intermediate2 CA in other cases. Is that correct?
Such problem seems to be solvable by just looking at
$ssl_client_escaped_cert and re-creating the certificate chain
from the list of CA certificates known on the server. In simple
cases (assuming all intermediate CA DNs are unique) just checking
the $ssl_client_i_dn variable would be enough.
Does it look reasonable, or I misunderstood something?
More information about the nginx-devel