Client Certificate subject information

Moshe Katz kohenkatz at gmail.com
Fri Aug 2 05:36:56 UTC 2019


If your application is using fastcgi or proxy configuration in nginx, you
need to have nginx put the information from the certificate into a FastCGI
parameter or an http header that your application can read.

Use something like `fastcgi_param  DN $ssl_client_s_dn;` for FastCGI or
`proxy_set_header X-ClientCert-DN $ssl_client_s_dn;` for proxy.

This is a good resource I have used in the past for configuring client
certificates:
http://blog.nategood.com/client-side-certificate-authentication-in-ngi

Alternatively, you can pass the entire certificate to your application and
let the application parse it all over again to extract what it wants with
something like this: `proxy_set_header X-SSL-CERT
$ssl_client_escaped_cert`. See here for more about that:
https://serverfault.com/a/629017/105107

On Fri, Aug 2, 2019, 12:24 AM vz19 <nginx-forum at forum.nginx.org> wrote:

> Hi,
>
> My application uses NGINX as its web server and I am adding support for
> client certificate authentication. I have a requirement where after NGINX
> validates the client certificate and provides access to my application, I
> need to obtain the Subject field of the client certificate to parse certain
> certificate details from my application. Is there a way to obtain this
> information from the application level or does this information reside only
> on the NGINX layer? I tried using APIs like ngx_ssl_get_subject_dn from my
> application but that didn't work. Please provide some inputs or point me in
> the right direction if I'm missing something.
>
> Thanks
>
> Posted at Nginx Forum:
> https://forum.nginx.org/read.php?2,285079,285079#msg-285079
>
> _______________________________________________
> nginx mailing list
> nginx at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190802/8a92605e/attachment.html>


More information about the nginx mailing list