OCSP, client certificate verification with chained CA

Marti, Ueli (Marin) Ueli.Marti at ch.glory-global.com
Wed Jan 5 15:33:29 UTC 2022

Ok, good point thanks.
However, it seems nginx accepts only one ssl_ocsp_responder instance. Or is there a syntax to specify multiple instances ?
So this would need to be solved on the responder side which would need to be able to handle multiple CAs. Openssl ocsp doesn't seem to support that.

Any chance for nginx to support multiple ssl_ocsp_responder instances in the future ?

-----Original Message-----
From: nginx <nginx-bounces at nginx.org> On Behalf Of Maxim Dounin
Sent: Wednesday, January 5, 2022 3:23 PM
To: nginx at nginx.org
Subject: Re: OCSP, client certificate verification with chained CA


On Tue, Jan 04, 2022 at 11:10:33AM +0000, Marti, Ueli (Marin) wrote:

> Hi,
> i am trying to setup nginx for OCSP client certificate verification and have troubles getting it to work with chained CA's.
> My setup is as follows, all referenced files are in the attached archive.
> - RootCa (pki/root/RootCa*.*): Self signed root CA certificate
> - IntermediateCa (pki/intermediate/IntermediateCa*.*): Intermediate CA
> certificate signed by RootCa
> - ServerCertificate (pki/intermediate/ ServerCertificate *.*): Server
> certificate, signed by Intermediate CA
> - IntermediateClientA (pki/intermediate/IntermediateClientA*.*):
> Intermediate client certificate A, signed by Intermediate CA (password
> for p12: umtest)
> - IntermediateClientB (pki/intermediate/IntermediateClientB*.*):
> Intermediate client certificate B, signed by Intermediate CA, REVOKED
> (password for p12: umtest)
> - IntermediateOcspResponder (pki/intermediate/
> IntermediateOcspResponder *.*): Intermediate OCSP responder
> certificate, extendedKeyUsage=OCSPSigning, signed by Intermediate CA
> - nginx 1.20.2 runs on a Manjaro virtual machine
> - openssl ocsp responder runs on the same Manjaro box, port 8080 (started with pki/startOcspResponder.sh):
>   openssl ocsp -index intermediate/index.txt -port 8080 -rsigner
> intermediate/IntermediateOcspResponderCert.pem -rkey
> intermediate/IntermediateOcspResponderKey.pem -CA
> intermediate/IntermediateChainCaCert.pem -text &
> nginx mTls configuration is as follows (full nginx.conf attached):
>         ssl_ocsp on;
>         ssl_verify_client on;
>         ssl_client_certificate /etc/nginx/pki/intermediate/IntermediateChainCaCert.pem;
>         ssl_ocsp_responder https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2F127.0.0.1%3A8080%2F&data=04%7C01%7Cueli.marti%40ch.glory-global.com%7C8afad579295e49b6b7b708d9d056e7bb%7C28825646ef414c9bb69e305d76fc24e5%7C0%7C0%7C637769893946036936%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=QTMzgw76b3PMrRpoWUXozv2UH1%2FO40A2KkJ1h5btsyQ%3D&reserved=0;
>         ssl_verify_depth 2;
> I am trying to connect from Chrome, running on the Windows host, using alternatively Client A/B certificates.
> With the above configuration, connection with Client A fails, which is NOT expected, Client A should be able to connect.
> nginx error.log indicates:
> 2022/01/04 10:06:29 [error] 2920#2920: *4 OCSP_basic_verify() failed
> (SSL: error:27069070:OCSP routines:OCSP_basic_verify:root ca not
> trusted) while requesting certificate status, responder:,
> peer:
> Connection with Client B fails too, this is expected as Client B
> certificate is revoked, nginx error.log indicates:
> 2022/01/04 10:06:42 [info] 2920#2920: *14 client SSL certificate verify error: certificate revoked while reading client request headers, client:, server: localhost, request: "GET / HTTP/1.1", host: ""
> when changing nginx configuration to:
>         ssl_ocsp leaf;
> everything works as expected, Client A can connect, Client B not.

So the OCSP check of the intermediate CA certificate is not working.  Given you only have one OCSP responder running, which is only capable of signing responses for the intermediate CA, this looks like an expected result.  Have you tried to also run OCSP responder for the root CA, so the intermediate CA certificate can be checked?


Maxim Dounin
nginx mailing list
nginx at nginx.org
This e-mail and any files attached are strictly confidential, may be legally privileged and are intended solely for the addressee. If you are not the intended recipient please notify the sender immediately by return email and then delete the e-mail and any attachments immediately. The views and or opinions expressed in this e-mail are not necessarily the views of Glory Ltd, Glory Global Solutions Limited or any of their subsidiaries or affiliates and the GLORY Group of companies, their directors, officers and employees make no representation about and accept no liability for its accuracy or completeness. You should ensure that you have adequate virus protection as the GLORY Group of companies do not accept liability for any viruses. Glory Global Solutions Limited Registered No. 07945417 and Glory Global Solutions (International) Limited Registered No 6569621 are both registered in England and Wales with their registered office at: Infinity View, 1 Hazelwood, Lime Tree Way, Chineham, Basingstoke, Hampshire RG24 8WZ, United Kingdom
nginx mailing list
nginx at nginx.org

More information about the nginx mailing list