I have the following certificate chain: Root certificate > Intermediate certificate > End user certificate.

I've set up nginx as an SSL termination proxy for a backend service that differentiates it actions based on the serial of the intermediate certificate and the subject of the end user certificate. Only the root certificate is available at the (nginx) server, the client will present the intermediate + end user certificate.

Relevant nginx configuration is as follows:

ssl_client_certificate root_cert.pem; # so only the root certificate
ssl_verify_client on;
ssl_verify_depth 2;

proxy_set_header X-Ssl-Client-Escaped-Cert $ssl_client_escaped_cert; # to pass it on to the backend service

Connectivity works great: nginx accepts the request if the client (I'm testing with curl) presents intermediate + end user certificate and passes it on to the backend service. If the client presents only one of the certificates, nginx rightly rejects it. So I'm sure curl shares both certificates with nginx.

Where it goes wrong, is when nginx passes the certificate information to the backend service. The embedded variable $ssl_client_escaped_cert only seems to contain the end user certificate and not the intermediate one(s). I did some logging to check $ssl_client_raw_cert, but that also only contains the end user certificate.

Is there a way to get the intermediate client certificates included in these embedded variables?