Client certificates and check for DN?

Igor A. Ippolitov iippolitov at nginx.com
Wed Feb 28 15:41:29 UTC 2018


Hello.

I'm not sure about what do you really need, but it looks like you can 
get almost the same result using a combination of map{} blocks and 
conditionals.

Something like this:

map $ssl_client_s_dn $ou_matched {
     ~OU=whatever 1;
     default 0;
}
map $ssl_client_s_dn $cn_matched {
     ~CN=whatever 1;
     default 0;
}
map $ou_verified$cn_verified $unauthed {
     ~0 1
     default 0;
}
server {
     ....
     ssl_trusted_certificate path/to/public/certs;
     ssl_verify_client on;
     if ($unauthed) {return 403;}
}


On 28.02.2018 16:39, rainer at ultra-secure.de wrote:
> Hi,
>
> it seems most examples, even for apache, seem to assume that the 
> client certificates are issued by your own CA.
> In this case, you just need to check if your certificates were issued 
> by this CA - and if they're not, it's game over.
>
>
> However, I may have a case where the CA is a public CA and the client 
> certificates need to be verified down to the correct O and OU.
>
> How do you do this with nginx?
>
> Something along these lines:
>
> https://www.tbs-certificates.co.uk/FAQ/en/183.html
>
>
> Best Regards
> Rainer
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx




More information about the nginx mailing list