Validating client certificate against CRL
Maxim Dounin
mdounin at mdounin.ru
Thu Dec 11 19:33:18 UTC 2014
Hello!
On Thu, Dec 11, 2014 at 02:03:35PM -0500, sandeepkolla99 wrote:
> Hi,
> My Nginx is setup for Mutual SSL and it works well for the below nginx
> configuration.
> Hierarchy of certificates is RootCA
> ******************************** |
> ******************************** V
> ************************** IntermediateCA
> ******************************** |
> ******************************** V
> ***********************ClientCert ServerCert
>
> listen 80;
> listen 443 ssl;
> server_name localhost;
>
> ssl_certificate serverCert.pem;
> ssl_certificate_key serverKey.key;
> ssl_client_certificate RootCA.pem;
> ssl_verify_client on;
> ssl_verify_depth 2;
>
> But If I add 'ssl_crl RootCACRL.pem' or 'ssl_crl IntermediateCRL.pem' to
> above configuration, I see the below error. By the way, RootCACRL.pem and
> IntermediateCRL.pem files doesn't have any revoked certificates.
>
> 400 Bad Request
>
> The SSL certificate error
>
> nginx/1.6.2
The "ssl_crl" should contain CRLs for all certificates in the
chain, that is, both RootCA and IntermediateCA in your case.
There should be a message in the error log (at "info" level)
explaining what's wrong.
Just combining IntermediateCRL.pem and RootCACRL.pem into a single
file and using it in the "ssl_crl" directive should fix this.
--
Maxim Dounin
http://nginx.org/
More information about the nginx
mailing list