Welcome! Log In Create A New Profile

Re: Does Nginx allow to specify multiple root certificates for client certificate verification?

Forum List Message List New Topic Print View

Maxim Dounin

July 31, 2012 12:50PM

Hello!

On Tue, Jul 31, 2012 at 11:21:26AM -0400, ffeldhaus wrote:

> Hi,
>
> Maxim Dounin Wrote:
> >
> > Hello!
> >
> > On Tue, Jul 31, 2012 at 05:43:31AM -0400,
> > ffeldhaus wrote:
> >
> > > For a project as part of the European Grid
> > Infrastructure (EGI) we need
> > > SSL client certificate verification for a
> > service running on nginx. As
> > > there are several root CAs allowed within EGI,
> > we need nginx to check
> > > them all during client certificate validation.
> > In the documentation of
> > > nginx I could only find the parameter
> > ssl_client_certificate which
> > > allows to specify just one file containing a
> > root certificate.
> > >
> > > Is there a way to specify more than one root CA
> > for client certificate
> > > verification in nginx or do I have to use Apache
> > for this?
> >
> > Yes. Just put multiple root CA certificates into
> > a file specified
> > in the ssl_client_certificate directive.
> >
> > Note the docs explicitly say "certificates"
> > (plural), see
> > http://nginx.org/r/ssl_client_certificate.
>
> I had hoped there would be another way. Putting the currently 105
> certificates in one file may work, but the problem is, that the
> certificates may change and with 105 CA certificates at the moment the
> chance that a certificate is updated/revoked is not negligible anymore.

If CA certificate is updated/revoked it probably needs some double
checking by a human anyway. Updating the file and asking nginx to
reload it's config isn't going to be a big deal then.

> I could write a cron job to update the single certificate file after
> each update, but it would be much easier if nginx would support multiple
> CA certificate files out of the box. For Apache there is a directive
> called SSLCACertificatePath to do just this. Do you think this could be
> a feature worth implementing in Nginx? If so, how could I help?

"Certificate file" vs "certificate path" difference isn't about
running something after updates of certificates or not (in both
cases you have to update something, either cat to a single file or
the c_rehash script to create symbolic links in case of CApath).
The difference is about certificates in memory vs. certficates on
disk, and the later implies syscalls and disk access on each
certificate check.

As nginx is designed to work under high loads, with many requests
(and handshakes) per second, it uses CAfile variant. And as nginx
configuration reload is seamless, it's unlikely the CApath variant
will add any extra value.

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Reply Quote

RSS

Subject	Author	Posted
Does Nginx allow to specify multiple root certificates for client certificate verification?	ffeldhaus	July 31, 2012 05:43AM
Re: Does Nginx allow to specify multiple root certificates for client certificate verification?	Maxim Dounin	July 31, 2012 06:48AM
Re: Does Nginx allow to specify multiple root certificates for client certificate verification?	ffeldhaus	July 31, 2012 11:21AM
Re: Does Nginx allow to specify multiple root certificates for client certificate verification?	Maxim Dounin	July 31, 2012 12:50PM
Re: Does Nginx allow to specify multiple root certificates for client certificate verification?	ffeldhaus	August 10, 2012 05:28AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 245

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018