How to load a TRUSTED Client CA

I need to specify a CA file to “ssl_client_certificate” directive. This
crt is generated by openssl x509 command with “-trustout” parameter, so
starts with “----BEGIN TRUSTED CERTIFICATE-----”, rather than common

Nginx will report error:
PEM routines:PEM_read_bio:no start line

Internally, nginx uses openssl’s API “SSL_load_client_CA_file()” to load
the cert and report this error.

So it’s a bug, expected or I mis-configure somewhere?


Posted at Nginx Forum:,220897,220897#msg-220897


On Fri, Jan 06, 2012 at 10:12:20PM -0500, speedfirst wrote:

So it’s a bug, expected or I mis-configure somewhere?

I suspect this is the result of the whole trust thing being
experimental in OpenSSL.

OpenSSL’s s_server sample server won’t load such certificates as
well. It uses the same SSL_load_client_CA_file() function to
handle -CAfile argument. Note though that it won’t complain as it
lacks error checking after the call, you should explicitly test
whether it was loaded by checking CA names list on connect. On
the other hand, “openssl verify” is able to handle such certs, so
it’s probably expected to work. You may try asking OpenSSL’s guys
for details.

Easiest solution probably is to convert the cert to a normal one,
something like this will do the trick:

$ openssl x509 -in trusted.cert.pem -clrtrust -out normal.cert.pem

Maxim D.