Exact Client public certificate authentication using Nginx
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 3 10:53:06 UTC 2013
Hello!
On Wed, Apr 03, 2013 at 06:31:49AM -0400, Sekhar wrote:
> Hi,
>
> I am relatevely new to Nginx and below is what i need to achieve.
>
> I have an Nginx proxy server with following key and certicate.
> ->Nginx_server_private_key.pem
> ->Nginx_server_public_cert.cer(Signed By Verisign CA)
>
> I have 3 clients who should be able to access the Nginx server based on
> their certificates. All their certificates are signed by verisign CA.
> Client 1 has following key certificate pair
> ->Nginx_client1_private_key.pem
> ->Nginx_client1_public_cert.cer (Signed By verisign CA)
> Similarly client 2
> ->Nginx_client2_private_key.pem
> ->Nginx_client2_public_cert.cer (Signed by Verisign CA)
> Similarly client 3
> ->Nginx_client3_private_key.pem
> ->Nginx_client3_public_cert.cer (Signed by Verisign CA)
>
> The server and clients will exchange their public certificates for mutual
> authentication.
>
> During SSL handshake the Nginx server only validates the CA of the incoming
> public certificate and if the CA is trusted, it allowes the connection. By
> this logic any certificate signed by the same verisign CA will be able to
> access my application.
>
> Question:
> 1. Can I configure Nginx to match the exact public certificate insted of
> verifying the signing CA?
No. Client certificate is considered to be good as long as it is
verified successfully up to a trusted root certificate.
What you can do, however, is to configure nginx to only allow
access for a particular DN's, e.g. by using
if ($ssl_client_s_dn != "some-good-DN") {
return 403;
}
More complex checks should probably use map, see
http://nginx.org/r/map.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list