Client certificates and check for DN?
Igor A. Ippolitov
iippolitov at nginx.com
Wed Feb 28 15:41:29 UTC 2018
Hello.
I'm not sure about what do you really need, but it looks like you can
get almost the same result using a combination of map{} blocks and
conditionals.
Something like this:
map $ssl_client_s_dn $ou_matched {
~OU=whatever 1;
default 0;
}
map $ssl_client_s_dn $cn_matched {
~CN=whatever 1;
default 0;
}
map $ou_verified$cn_verified $unauthed {
~0 1
default 0;
}
server {
....
ssl_trusted_certificate path/to/public/certs;
ssl_verify_client on;
if ($unauthed) {return 403;}
}
On 28.02.2018 16:39, rainer at ultra-secure.de wrote:
> Hi,
>
> it seems most examples, even for apache, seem to assume that the
> client certificates are issued by your own CA.
> In this case, you just need to check if your certificates were issued
> by this CA - and if they're not, it's game over.
>
>
> However, I may have a case where the CA is a public CA and the client
> certificates need to be verified down to the correct O and OU.
>
> How do you do this with nginx?
>
> Something along these lines:
>
> https://www.tbs-certificates.co.uk/FAQ/en/183.html
>
>
> Best Regards
> Rainer
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
More information about the nginx
mailing list