Does Nginx allow to specify multiple root certificates for client certificate verification?
ffeldhaus
nginx-forum at nginx.us
Tue Jul 31 15:21:26 UTC 2012
Hi,
Maxim Dounin Wrote:
>
> Hello!
>
> On Tue, Jul 31, 2012 at 05:43:31AM -0400,
> ffeldhaus wrote:
>
> > For a project as part of the European Grid
> Infrastructure (EGI) we need
> > SSL client certificate verification for a
> service running on nginx. As
> > there are several root CAs allowed within EGI,
> we need nginx to check
> > them all during client certificate validation.
> In the documentation of
> > nginx I could only find the parameter
> ssl_client_certificate which
> > allows to specify just one file containing a
> root certificate.
> >
> > Is there a way to specify more than one root CA
> for client certificate
> > verification in nginx or do I have to use Apache
> for this?
>
> Yes. Just put multiple root CA certificates into
> a file specified
> in the ssl_client_certificate directive.
>
> Note the docs explicitly say "certificates"
> (plural), see
> http://nginx.org/r/ssl_client_certificate.
I had hoped there would be another way. Putting the currently 105
certificates in one file may work, but the problem is, that the
certificates may change and with 105 CA certificates at the moment the
chance that a certificate is updated/revoked is not negligible anymore.
I could write a cron job to update the single certificate file after
each update, but it would be much easier if nginx would support multiple
CA certificate files out of the box. For Apache there is a directive
called SSLCACertificatePath to do just this. Do you think this could be
a feature worth implementing in Nginx? If so, how could I help?
Florian Feldhaus
Posted at Nginx Forum: http://forum.nginx.org/read.php?2,229129,229148#msg-229148
More information about the nginx
mailing list