client certificate to upstream via nginx

Maxim Dounin mdounin at
Wed Mar 29 21:39:33 UTC 2023


On Wed, Mar 29, 2023 at 01:13:10PM +0530, Vishwas Bm wrote:

> We have a client certificate in pem format and it is having below content
> and all these certificates are present in a single file.
> serverCertificate -> intermediate CA -> rootCA
> Now in the nginx.conf have below directives set:


> *  proxy_set_header ssl-client-cert $ssl_client_escaped_cert; *


> So based on above only the client certificate is sent to the upstream
> server but our expectation was that the complete pem contents including all
> the 3 certs (client, intermediate and root) will be sent to the backend.
> Is our expectation correct or wrong ?
> Any change has to be done to handle this ?

I've already replied in the ticket #2476, which I assume is 
created by you (  For 
the record:

The $ssl_client_escaped_cert variable is expected to contain only 
the client certificate, and not the additional/extra certificates 
sent by the client.  This matches the behaviour you are seeing.

Further, it is not generally possible to provide a variable with 
extra certificates sent by the client: these certificates are not 
saved into the session data and therefore not available in resumed 
SSL sessions, see ticket #2297 
( and here:

Summing the above, it might be a good idea to reconsider the setup 
you are using.

Hope this helps.

Maxim Dounin

More information about the nginx mailing list