OCSP, client certificate verification with chained CA

Maxim Dounin mdounin at mdounin.ru
Wed Jan 5 14:22:47 UTC 2022


Hello!

On Tue, Jan 04, 2022 at 11:10:33AM +0000, Marti, Ueli (Marin) wrote:

> Hi,
> i am trying to setup nginx for OCSP client certificate verification and have troubles getting it to work with chained CA's.
> My setup is as follows, all referenced files are in the attached archive.
> - RootCa (pki/root/RootCa*.*): Self signed root CA certificate
> - IntermediateCa (pki/intermediate/IntermediateCa*.*): Intermediate CA certificate signed by RootCa
> - ServerCertificate (pki/intermediate/ ServerCertificate *.*): Server certificate, signed by Intermediate CA
> - IntermediateClientA (pki/intermediate/IntermediateClientA*.*): Intermediate client certificate A, signed by Intermediate CA (password for p12: umtest)
> - IntermediateClientB (pki/intermediate/IntermediateClientB*.*): Intermediate client certificate B, signed by Intermediate CA, REVOKED (password for p12: umtest)
> - IntermediateOcspResponder (pki/intermediate/ IntermediateOcspResponder *.*): Intermediate OCSP responder certificate, extendedKeyUsage=OCSPSigning, signed by Intermediate CA
> 
> - nginx 1.20.2 runs on a Manjaro virtual machine
> - openssl ocsp responder runs on the same Manjaro box, port 8080 (started with pki/startOcspResponder.sh):
>   openssl ocsp -index intermediate/index.txt -port 8080 -rsigner intermediate/IntermediateOcspResponderCert.pem -rkey intermediate/IntermediateOcspResponderKey.pem -CA intermediate/IntermediateChainCaCert.pem -text &
> 
> nginx mTls configuration is as follows (full nginx.conf attached):
>         ssl_ocsp on;
>         ssl_verify_client on;
>         ssl_client_certificate /etc/nginx/pki/intermediate/IntermediateChainCaCert.pem;
>         ssl_ocsp_responder http://127.0.0.1:8080;
>         ssl_verify_depth 2;
> 
> I am trying to connect from Chrome, running on the Windows host, using alternatively Client A/B certificates.
> 
> With the above configuration, connection with Client A fails, which is NOT expected, Client A should be able to connect.
> nginx error.log indicates:
> 2022/01/04 10:06:29 [error] 2920#2920: *4 OCSP_basic_verify() failed (SSL: error:27069070:OCSP routines:OCSP_basic_verify:root ca not trusted) while requesting certificate status, responder: 127.0.0.1, peer: 127.0.0.1:8080
> 
> Connection with Client B fails too, this is expected as Client B certificate is revoked,
> nginx error.log indicates:
> 2022/01/04 10:06:42 [info] 2920#2920: *14 client SSL certificate verify error: certificate revoked while reading client request headers, client: 192.168.1.115, server: localhost, request: "GET / HTTP/1.1", host: "192.168.1.110"
> 
> when changing nginx configuration to:
>         ssl_ocsp leaf;
> everything works as expected, Client A can connect, Client B not.

So the OCSP check of the intermediate CA certificate is not 
working.  Given you only have one OCSP responder running, which is 
only capable of signing responses for the intermediate CA, this 
looks like an expected result.  Have you tried to also run OCSP 
responder for the root CA, so the intermediate CA certificate can 
be checked?

[...]

-- 
Maxim Dounin
http://mdounin.ru/


More information about the nginx mailing list