Hello,

I use nginx as a proxy server for some clusters and a lot of virtual hosts. Now we plan to offer client authentication through client certificates. I wonder how I can use different ca certificates for each vhost or an other way to ensure that the given client certificate is valid for a specific vhost. What I mean. How can I ensure to use the correct ca for the client certificate to avoid faking information through another included ca.

If I configure directly to nginx.conf the client certificate is checked:
[...]
http {
include vhost_ssl.conf;
ssl_client_certificate /usr/local/nginx/ssl/public/ca_test.pem;
ssl_verify_client optional;
[...]

but if I set it in the excluded vhost_ssl.conf it seems it doesn't get recognized:

server {
listen 443;
server_name ~^ege.example.com$ ;
ssl on;
[...]
ssl_client_certificate /usr/local/nginx/ssl/public/ca_test.pem;
ssl_verify_client optional;
[...]
}

Kind regards,

Erik

I've to answer my own question. Vhosts are only known after ssl-handshake and therefore after client certificate check. Now I'm using a bundle of all CA's I need. After the certificate is tested successfully I additionally test if it's a valid issuer (of the tested certificate) for this vhost (on the specific vhost/application).