Provide site-specific SSL cert on behalf of clients

Igor Sysoev igor at
Wed May 25 14:34:03 MSD 2011

On Wed, May 25, 2011 at 06:27:15AM -0400, urschrei wrote:
> Igor,
> just to make sure I'm not misunderstanding you:
> Usually, what happens is this:
> I install an SSL cert (let's call it certA) in a client browser, so I
> can access https site A, which requires it.
> But if I have a lot of clients, I'd ideally like to have nginx proxy
> this cert, on behalf of my clients, so I don't have to install it for
> each of them. Are you saying that in order for nginx to proxy the cert,
> I'll first have to generate a CA cert on the server, and then sign the
> client cert (certA) with it? Won't this result in a self-signed
> certificate warning every time a client tries to access site A?

nginx as a client does not currently support a client certificate
when it proxies a request to HTTPS backend (B). However, I do not see
any security advantage when many clients look like one for backend B.

Igor Sysoev

More information about the nginx mailing list