OCSP, client certificate verification with chained CA
mdounin at mdounin.ru
Wed Jan 5 14:22:47 UTC 2022
On Tue, Jan 04, 2022 at 11:10:33AM +0000, Marti, Ueli (Marin) wrote:
> i am trying to setup nginx for OCSP client certificate verification and have troubles getting it to work with chained CA's.
> My setup is as follows, all referenced files are in the attached archive.
> - RootCa (pki/root/RootCa*.*): Self signed root CA certificate
> - IntermediateCa (pki/intermediate/IntermediateCa*.*): Intermediate CA certificate signed by RootCa
> - ServerCertificate (pki/intermediate/ ServerCertificate *.*): Server certificate, signed by Intermediate CA
> - IntermediateClientA (pki/intermediate/IntermediateClientA*.*): Intermediate client certificate A, signed by Intermediate CA (password for p12: umtest)
> - IntermediateClientB (pki/intermediate/IntermediateClientB*.*): Intermediate client certificate B, signed by Intermediate CA, REVOKED (password for p12: umtest)
> - IntermediateOcspResponder (pki/intermediate/ IntermediateOcspResponder *.*): Intermediate OCSP responder certificate, extendedKeyUsage=OCSPSigning, signed by Intermediate CA
> - nginx 1.20.2 runs on a Manjaro virtual machine
> - openssl ocsp responder runs on the same Manjaro box, port 8080 (started with pki/startOcspResponder.sh):
> openssl ocsp -index intermediate/index.txt -port 8080 -rsigner intermediate/IntermediateOcspResponderCert.pem -rkey intermediate/IntermediateOcspResponderKey.pem -CA intermediate/IntermediateChainCaCert.pem -text &
> nginx mTls configuration is as follows (full nginx.conf attached):
> ssl_ocsp on;
> ssl_verify_client on;
> ssl_client_certificate /etc/nginx/pki/intermediate/IntermediateChainCaCert.pem;
> ssl_ocsp_responder http://127.0.0.1:8080;
> ssl_verify_depth 2;
> I am trying to connect from Chrome, running on the Windows host, using alternatively Client A/B certificates.
> With the above configuration, connection with Client A fails, which is NOT expected, Client A should be able to connect.
> nginx error.log indicates:
> 2022/01/04 10:06:29 [error] 2920#2920: *4 OCSP_basic_verify() failed (SSL: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted) while requesting certificate status, responder: 127.0.0.1, peer: 127.0.0.1:8080
> Connection with Client B fails too, this is expected as Client B certificate is revoked,
> nginx error.log indicates:
> 2022/01/04 10:06:42 [info] 2920#2920: *14 client SSL certificate verify error: certificate revoked while reading client request headers, client: 192.168.1.115, server: localhost, request: "GET / HTTP/1.1", host: "192.168.1.110"
> when changing nginx configuration to:
> ssl_ocsp leaf;
> everything works as expected, Client A can connect, Client B not.
So the OCSP check of the intermediate CA certificate is not
working. Given you only have one OCSP responder running, which is
only capable of signing responses for the intermediate CA, this
looks like an expected result. Have you tried to also run OCSP
responder for the root CA, so the intermediate CA certificate can
More information about the nginx