Exact Client public certificate authentication using Nginx

Hi,

I am relatevely new to Nginx and below is what i need to achieve.

I have an Nginx proxy server with following key and certicate.
->Nginx_server_private_key.pem
->Nginx_server_public_cert.cer(Signed By Verisign CA)

I have 3 clients who should be able to access the Nginx server based on
their certificates. All their certificates are signed by verisign CA.
Client 1 has following key certificate pair
->Nginx_client1_private_key.pem
->Nginx_client1_public_cert.cer (Signed By verisign CA)
Similarly client 2
->Nginx_client2_private_key.pem
->Nginx_client2_public_cert.cer (Signed by Verisign CA)
Similarly client 3
->Nginx_client3_private_key.pem
->Nginx_client3_public_cert.cer (Signed by Verisign CA)

The server and clients will exchange their public certificates for
mutual
authentication.

During SSL handshake the Nginx server only validates the CA of the
incoming
public certificate and if the CA is trusted, it allowes the connection.
By
this logic any certificate signed by the same verisign CA will be able
to
access my application.

Question:

  1. Can I configure Nginx to match the exact public certificate insted of
    verifying the signing CA?
  2. Can I store the client’s public certificates in a key store directory
    and
    configure Nginx to verify the incoming client certificates based on
    public
    certificates in that directory. In short, can I have a trust store or
    validation credential ?

Any help/suggestion is greatly appriciated.

Posted at Nginx Forum:

Hello!

On Wed, Apr 03, 2013 at 06:31:49AM -0400, Sekhar wrote:

Client 1 has following key certificate pair
authentication.

During SSL handshake the Nginx server only validates the CA of the incoming
public certificate and if the CA is trusted, it allowes the connection. By
this logic any certificate signed by the same verisign CA will be able to
access my application.

Question:

  1. Can I configure Nginx to match the exact public certificate insted of
    verifying the signing CA?

No. Client certificate is considered to be good as long as it is
verified successfully up to a trusted root certificate.

What you can do, however, is to configure nginx to only allow
access for a particular DN’s, e.g. by using

if ($ssl_client_s_dn != "some-good-DN") {
    return 403;
}

More complex checks should probably use map, see
Module ngx_http_map_module.


Maxim D.
http://nginx.org/en/donation.html

Hi Maxim,

Thanks for replying to the post. Below is my concern.

Multiple certificate can have the same DN and the DN name match will
happen
after the SSL handshake is complete using the root CA. It means the SSL
layer is complete and we are doing authorization not authentication.

Posted at Nginx Forum:

Hello!

On Wed, Apr 03, 2013 at 09:30:40AM -0400, Sekhar wrote:

Hi Maxim,

Thanks for replying to the post. Below is my concern.

Multiple certificate can have the same DN and the DN name match will happen
after the SSL handshake is complete using the root CA. It means the SSL
layer is complete and we are doing authorization not authentication.

The CA is supposed to ensure that DN claimed in a certificate is
correct, that’s the whole point of PKI.

If you want to do authentication yourself without trusting the
root CA used to issue certificates, you may do so in a similar
manner by checking the whole certificate as available via
$ssl_client_raw_cert variable.


Maxim D.
http://nginx.org/en/donation.html