ssl_verify_partial_chain
Vedran Vidovic
vvidovic at croz.net
Fri May 20 14:02:08 UTC 2022
Hello,
thanks for the extensive answer.
I will try to pursue a solution similar to your suggestion:
- convert intermediate CA certificate to trusted certificate
- validate client certificate using trusted certificate
I still believe that addition of the new configuration option
"ssl_verify_partial_chain" would benefit nginx because if
we configure it using the "ssl_trusted_certificate" it doesn't
send a list of allowed CAs to the client. We just can't cover
the case when we want to send a list of allowed issuers
(without their root certs) without changes to nginx.
In my view, if I configure a certificate I1 as a trusted issuer, I should not be enforced
to add its issuer to list of trusted certificates. I would like to tell my server to trust all
certificates issued by certificate I1 (and not by it's root issuer). Similar functionality
is available in some other products I used and it seems natural to me but people
with different background can (of course) disagree.
---
Use Case 1 for such an approach:
For example, we could even have the following hierarchy of certificates:
- R (root CA)
- L0n (client leaf cert 00, 01,..)
- I1 (intermediate CA)
- L1n (client leaf cert 10, 11)
- I2 (intermediate CA)
- L2n (client leaf cert 20, 21,..)
We would want to trust certs issued by intermediate CA I1 but not trust
certs L0n or L2n.
Without the possibility to trust only the I1 and not the R we can't make sure
that someone won't call us with L0n certs.
---
Use Case 2 for such an approach (a real use case):
On a more practical note, we need to trust all certs issued by any of the
issuer certs from the EU trusted certificates list site and root certs are
not published there.
Kind regards
Vedran Vidovic
Odricanje od odgovornosti - disclaimer
More information about the nginx-devel
mailing list