Can I install and configure nginx to use a "public"/global CA's SSL Certificate like Verisign, AND force (require) the use of client SSL certificates, AND allow those client/browser-certificates to be from a different CA/root? For example, openca or some self-signed setup that I use to just distribute client certificates to my registered users? Let me know if I am not asking the question correctly. Thanks, AJ
on 2012-10-10 20:15
on 2012-10-10 23:17
I think I might have found my answer to this. I can generate my own (or use any different) CA and add that in ssl_client_certificate <path>; And then set ssl_verify_client on; This appears to work in initial testing. So my follow-up is: 1) Does this sound like the way to make my original question work? 2) Can I revoke certificates, and will nginx check a revocation list of some kind? Thanks again, AJ
on 2012-10-11 00:52
Hello! On Wed, Oct 10, 2012 at 05:16:12PM -0400, AJ Weber wrote: > I think I might have found my answer to this. > > I can generate my own (or use any different) CA and add that in > ssl_client_certificate <path>; > And then set ssl_verify_client on; > > This appears to work in initial testing. So my follow-up is: > 1) Does this sound like the way to make my original question work? Yes. > 2) Can I revoke certificates, and will nginx check a revocation list > of some kind? http://nginx.org/r/ssl_crl > >example, openca or some self-signed setup that I use to just > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx -- Maxim Dounin http://nginx.com/support.html
on 2012-10-11 17:36
I didn't double-check yet, but it looks like if I set this up, and the client does not have a client-side certificate, nginx is returning either a 400 (or more likely a 403)? Is there any way I can be entirely "rude" and re-map the return code if you do not have a client certificate to 444? Thanks again, AJ
on 2012-10-11 23:54
Hello! On Thu, Oct 11, 2012 at 11:35:16AM -0400, AJ Weber wrote: > I didn't double-check yet, but it looks like if I set this up, and > the client does not have a client-side certificate, nginx is > returning either a 400 (or more likely a 403)? Is there any way I > can be entirely "rude" and re-map the return code if you do not have > a client certificate to 444? The answer is on the very same page: http://nginx.org/en/docs/http/ngx_http_ssl_module.... -- Maxim Dounin http://nginx.com/support.html
on 2012-10-12 00:08
I noticed that, but it appears to require a page / uri. I think the special 444 should not return content, if I am reading its design correctly. -Aaron
on 2012-10-12 00:22
Hello! On Thu, Oct 11, 2012 at 06:07:44PM -0400, Aaron wrote: > I noticed that, but it appears to require a page / uri. I think > the special 444 should not return content, if I am reading its > design correctly. This is because anything in nginx requires an uri. But it's up to you to not return content for the uri, like this: error_page 496 = /nocert; location = /nocert { return 444; } See here for details: http://nginx.org/r/error_page http://nginx.org/r/location http://nginx.org/r/return -- Maxim Dounin http://nginx.com/support.html
Enable email notification
Enable multi-page viewPlease log in before posting. Registration is free and takes only a minute.
Existing account
(Switch to SSL-encrypted connection)
NEW: Do you have a Google/GoogleMail or Yahoo account? No registration required!
Log in with Google account | Log in with Yahoo account
Log in with Google account | Log in with Yahoo account
No account? Register here.