On Tue, Jul 31, 2012 at 11:21:26AM -0400, ffeldhaus wrote:
Infrastructure (EGI) we need
I had hoped there would be another way. Putting the currently 105
certificates in one file may work, but the problem is, that the
certificates may change and with 105 CA certificates at the moment the
chance that a certificate is updated/revoked is not negligible anymore.
If CA certificate is updated/revoked it probably needs some double
checking by a human anyway. Updating the file and asking nginx to
reload it’s config isn’t going to be a big deal then.
I could write a cron job to update the single certificate file after
each update, but it would be much easier if nginx would support multiple
CA certificate files out of the box. For Apache there is a directive
called SSLCACertificatePath to do just this. Do you think this could be
a feature worth implementing in Nginx? If so, how could I help?
“Certificate file” vs “certificate path” difference isn’t about
running something after updates of certificates or not (in both
cases you have to update something, either cat to a single file or
the c_rehash script to create symbolic links in case of CApath).
The difference is about certificates in memory vs. certficates on
disk, and the later implies syscalls and disk access on each
As nginx is designed to work under high loads, with many requests
(and handshakes) per second, it uses CAfile variant. And as nginx
configuration reload is seamless, it’s unlikely the CApath variant
will add any extra value.