Welcome! Log In Create A New Profile


Re: How to load a TRUSTED Client CA

Maxim Dounin
January 07, 2012 06:12PM

On Fri, Jan 06, 2012 at 10:12:20PM -0500, speedfirst wrote:

> I need to specify a CA file to "ssl_client_certificate" directive. This
> crt is generated by openssl x509 command with "-trustout" parameter, so
> starts with "----BEGIN TRUSTED CERTIFICATE-----", rather than common
> "-----BEGIN CERTIFICATE-----".
> Nginx will report error:
> PEM routines:PEM_read_bio:no start line
> Internally, nginx uses openssl's API "SSL_load_client_CA_file()" to load
> the cert and report this error.
> So it's a bug, expected or I mis-configure somewhere?

I suspect this is the result of the whole trust thing being
experimental in OpenSSL.

OpenSSL's s_server sample server won't load such certificates as
well. It uses the same SSL_load_client_CA_file() function to
handle -CAfile argument. Note though that it won't complain as it
lacks error checking after the call, you should explicitly test
whether it was loaded by checking CA names list on connect. On
the other hand, "openssl verify" is able to handle such certs, so
it's probably expected to work. You may try asking OpenSSL's guys
for details.

Easiest solution probably is to convert the cert to a normal one,
something like this will do the trick:

$ openssl x509 -in trusted.cert.pem -clrtrust -out normal.cert.pem

Maxim Dounin

nginx mailing list
Subject Author Posted

How to load a TRUSTED Client CA

speedfirst January 06, 2012 10:12PM

Re: How to load a TRUSTED Client CA

Maxim Dounin January 07, 2012 06:12PM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 138
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 466 on July 09, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready