Welcome! Log In Create A New Profile

Advanced

nginx client authentication with 2 intermediate CAs

February 29, 2016 01:18PM
I'm trying to get nginx to verify client certificate issued through the following chain, with self-signed root: Root CA => Signing CA => Subordinate CA => Client cert.

I installed root_CA.crt on the server, and on the client side, the certs are concatenated with cat client.crt subordinate_CA.crt signing_CA.crt > cert-chain.pem. My nginx setting looks like this:

ssl_client_certificate /path/to/root_CA.crt;
ssl_verify_client on;
ssl_verify_depth 3;

I tried to connect with curl -k server.url:443 --cert cert-chain.pem but it gives me error curl: (35) error reading X.509 key or certificate file. If I try that with --key client.key then it gives me 400 Bad Request. I also tried to test with openssl s_client and the result is similar.

I've verified that the nginx setting works if I have no intermediate CA, i.e., Root CA => Client cert. It also works if my intermediate CA certs are installed on the server and only the leaf cert is on the client side. However, in our case, the Signing CA and Subordinate CA certs cannot be installed on server ahead of time. Any idea what to try next?
Subject Author Posted

nginx client authentication with 2 intermediate CAs

hatlam February 29, 2016 01:18PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 65
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready