$ssl_client_escaped_cert does not contain intermediate client certificates

everhardt nginx-forum at forum.nginx.org
Sat Jul 4 09:52:09 UTC 2020

I have the following certificate chain: Root certificate > Intermediate
certificate > End user certificate. 

I've set up nginx as an SSL termination proxy for a backend service that
differentiates it actions based on the serial of the intermediate
certificate and the subject of the end user certificate. Only the root
certificate is available at the (nginx) server, the client will present the
intermediate + end user certificate.

Relevant nginx configuration is as follows:

ssl_client_certificate root_cert.pem; # so only the root certificate
ssl_verify_client on;
ssl_verify_depth 2;

proxy_set_header X-Ssl-Client-Escaped-Cert $ssl_client_escaped_cert; # to
pass it on to the backend service

Connectivity works great: nginx accepts the request if the client (I'm
testing with curl) presents intermediate + end user certificate and passes
it on to the backend service. If the client presents only one of the
certificates, nginx rightly rejects it. So I'm sure curl shares both
certificates with nginx.

Where it goes wrong, is when nginx passes the certificate information to the
backend service. The embedded variable $ssl_client_escaped_cert only seems
to contain the end user certificate and not the intermediate one(s). I did
some logging to check $ssl_client_raw_cert, but that also only contains the
end user certificate. 

Is there a way to get the intermediate client certificates included in these
embedded variables?

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,288553,288553#msg-288553

More information about the nginx mailing list