Accepting Multiple TLS Client Certificates

Johannes Gehrs johannes.gehrs at moia.io
Mon Jun 24 14:58:48 UTC 2019


Hi,

as per our understanding one can provide a file with multiple certificates
as "ssl_client_certificate". Nginx would then accept any one of the
certificates. However, when we actually provided multiple certificates we
found that only the first one in the list was accepted.

In our test case we provided a chain of two certificates, a root cert and
the client certs signed by this CA. We tried both, concatenating the files
like this: "user1 user2 ca" and like this "user1 ca user2 ca". In all cases
just the first certificate was accepted.

Are we misunderstanding the expected behaviour of nginx, or is this a bug,
or are we maybe doing something wrong?

I will mention that we are using nginx in the nginx-ingress Kubernetes
package. We have tested with a version which uses nginx 1.15.10.

Thank you!
Johannes Gehrs
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20190624/0919a5b3/attachment.html>


More information about the nginx mailing list