Exact Client public certificate authentication using Nginx
Maxim Dounin
mdounin at mdounin.ru
Wed Apr 3 14:06:38 UTC 2013
Hello!
On Wed, Apr 03, 2013 at 09:30:40AM -0400, Sekhar wrote:
> Hi Maxim,
>
> Thanks for replying to the post. Below is my concern.
>
> Multiple certificate can have the same DN and the DN name match will happen
> after the SSL handshake is complete using the root CA. It means the SSL
> layer is complete and we are doing authorization not authentication.
The CA is supposed to ensure that DN claimed in a certificate is
correct, that's the whole point of PKI.
If you want to do authentication yourself without trusting the
root CA used to issue certificates, you may do so in a similar
manner by checking the whole certificate as available via
$ssl_client_raw_cert variable.
--
Maxim Dounin
http://nginx.org/en/donation.html
More information about the nginx
mailing list