Welcome! Log In Create A New Profile

Advanced

Re: How to load a TRUSTED Client CA

Maxim Dounin
January 07, 2012 06:12PM
Hello!

On Fri, Jan 06, 2012 at 10:12:20PM -0500, speedfirst wrote:

> I need to specify a CA file to "ssl_client_certificate" directive. This
> crt is generated by openssl x509 command with "-trustout" parameter, so
> starts with "----BEGIN TRUSTED CERTIFICATE-----", rather than common
> "-----BEGIN CERTIFICATE-----".
>
> Nginx will report error:
> PEM routines:PEM_read_bio:no start line
>
> Internally, nginx uses openssl's API "SSL_load_client_CA_file()" to load
> the cert and report this error.
>
> So it's a bug, expected or I mis-configure somewhere?

I suspect this is the result of the whole trust thing being
experimental in OpenSSL.

OpenSSL's s_server sample server won't load such certificates as
well. It uses the same SSL_load_client_CA_file() function to
handle -CAfile argument. Note though that it won't complain as it
lacks error checking after the call, you should explicitly test
whether it was loaded by checking CA names list on connect. On
the other hand, "openssl verify" is able to handle such certs, so
it's probably expected to work. You may try asking OpenSSL's guys
for details.

Easiest solution probably is to convert the cert to a normal one,
something like this will do the trick:

$ openssl x509 -in trusted.cert.pem -clrtrust -out normal.cert.pem

Maxim Dounin

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Subject Author Posted

How to load a TRUSTED Client CA

speedfirst January 06, 2012 10:12PM

Re: How to load a TRUSTED Client CA

Maxim Dounin January 07, 2012 06:12PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 111
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready