Exact Client public certificate authentication using Nginx

Maxim Dounin mdounin at mdounin.ru
Wed Apr 3 14:06:38 UTC 2013


Hello!

On Wed, Apr 03, 2013 at 09:30:40AM -0400, Sekhar wrote:

> Hi Maxim,
> 
> Thanks for replying to the post. Below is my concern. 
> 
> Multiple certificate can have the same DN and the DN name match will happen
> after the SSL handshake is complete using the root CA. It means the SSL
> layer is complete and we are doing authorization not authentication.

The CA is supposed to ensure that DN claimed in a certificate is 
correct, that's the whole point of PKI.

If you want to do authentication yourself without trusting the 
root CA used to issue certificates, you may do so in a similar 
manner by checking the whole certificate as available via 
$ssl_client_raw_cert variable.

-- 
Maxim Dounin
http://nginx.org/en/donation.html



More information about the nginx mailing list