Nginx ssl_trusted_certificate directive problem

Maxim Dounin mdounin at
Mon Jun 17 14:07:21 UTC 2019


On Fri, Jun 14, 2019 at 06:09:22AM -0400, niegus wrote:

> Hi,
> I have my nginx configured with client_certificate authentication:
> ssl_client_certificate  /etc/nginx/ssl/cas.pem;
> ssl_verify_client optional; 
> ssl_verify_depth 2;
> And is working fine, but I need to NOT send the CAs to the client during the
> handshake.
> I've seen
> in the documentation. So, I've changed it to:
> ssl_trusted_certificate  /etc/nginx/ssl/cas.pem;
> ssl_verify_depth 2;
> But now ssl_client_verify is always to NONE, and actually I saw in wireshark
> that the client is not sending the certificate.
> What am I doing wrong?

For the client certificate authentication to work, you have to 
configure ssl_verify_client, and ssl_client_certificate with at 
least one certificate (unless you are using "ssl_verify_client 
optional_no_ca;").  Any certificates specified in 
ssl_trusted_certificate will be additionally trusted, but you 
still have to specify at least one certificate in 

Maxim Dounin

More information about the nginx mailing list