Different certificates and keys for server and client verification

Jason Whittington Jason.Whittington at equifax.com
Fri Feb 9 21:16:31 UTC 2018


Yes - SSL and Client certs are completely orthogonal.  However nginx needs to know about whatever cert is used to sign the client certs.  Each client can't create completely distinct self-signed certs; they have to be signed by an issuer that nginx trusts.   The blog posts at [1] and [2] do a pretty good job outlining the process for client certs.  Notice that they both basically start with creating a CA you are going to use to issue client certs.

[1] http://nategood.com/client-side-certificate-authentication-in-ngi
[2] https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

Jason

-----Original Message-----
From: nginx [mailto:nginx-bounces at nginx.org] On Behalf Of spacerobot
Sent: Friday, February 09, 2018 12:57 PM
To: nginx at nginx.org
Subject: [IE] Different certificates and keys for server and client verification

Hi,

I want my nginx listener to use SSL and do both server and client verification. However, I want it to use different certificates and keys for server vs client verification. The reason is that I want to use a properly signed certificate for the server verification and a self signed certificate for client verification (in order to manage allowed clients).

Is there a way to achieve this?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278466,278466#msg-278466

_______________________________________________
nginx mailing list
nginx at nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster at equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.


More information about the nginx mailing list