October 09, 2019 05:55PM

My current nginx configuration has 3 CAs concatenated into a PEM file called /etc/ngx_cas. However, only one of these CAs is configured with a CRL which is stored in /etc/ngx_crls.

ssl_client_certificate /etc/ngx_cas;
ssl_verify_client strict;
ssl_crl /etc/ngx_crls;

When I make a request using curl, I get a 400 Bad request with SSL certificate error, even though the client certificate is valid and signed by one of the 3 CAs recognized by NGINX. This CA does not have a CRL tied to it. Upon checking logs, this is the error that is thrown:
2019/10/09 21:40:28 [info] 25610#0: *1 client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers,

However, when I remove the configured CRL from NGINX, the curl request goes through and authentication is successful.

Is there any limitation on CRLs where if one trustpoint's CRL is configured, then CRL for all should be configured as well?

Please let me know if I am missing something.

Subject Author Posted

Client certificate authentication with multiple CA but single CRL

vz19 October 09, 2019 05:55PM

Re: Client certificate authentication with multiple CA but single CRL

Maxim Dounin October 10, 2019 05:00AM

Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 90
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready