Client certificate authentication with multiple CA but single CRL

vz19 nginx-forum at
Wed Oct 9 21:55:31 UTC 2019


My current nginx configuration has 3 CAs concatenated into a PEM file called
/etc/ngx_cas. However, only one of these CAs is configured with a CRL which
is stored in /etc/ngx_crls.

        ssl_client_certificate     /etc/ngx_cas;
        ssl_verify_client          strict;
        ssl_crl                          /etc/ngx_crls;

When I make a request using curl, I get a 400 Bad request with SSL
certificate error, even though the client certificate is valid and signed by
one of the 3 CAs recognized by NGINX. This CA does not have a CRL tied to
it. Upon checking logs, this is the error that is thrown:
       2019/10/09 21:40:28 [info] 25610#0: *1 client SSL certificate verify
error: (3:unable to get certificate CRL) while reading client request

However, when I remove the configured CRL from NGINX, the curl request goes
through and authentication is successful.

Is there any limitation on CRLs where if one trustpoint's CRL is configured,
then CRL for all should be configured as well?

Please let me know if I am missing something.


Posted at Nginx Forum:,285834,285834#msg-285834

More information about the nginx mailing list