Provide site-specific SSL cert on behalf of clients

I’m wondering if I can configure nginx to provide a PEM SSL cert for a
specific site on behalf of clients on my subnet, and how I might go
about configuring, testing this. I have a cert in PEM format, and nginx
0.8.54 with SSL support, running on Ubuntu 11.04.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,200521,200521#msg-200521

On Tue, May 24, 2011 at 05:04:11PM -0400, urschrei wrote:

I’m wondering if I can configure nginx to provide a PEM SSL cert for a
specific site on behalf of clients on my subnet, and how I might go
about configuring, testing this. I have a cert in PEM format, and nginx
0.8.54 with SSL support, running on Ubuntu 11.04.

Do you mean a cetificate that a client passes to a server or what ?


Igor S.

Igor,
yes, it’s a client SSL cert.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,200521,200646#msg-200646

On Wed, May 25, 2011 at 05:15:18AM -0400, urschrei wrote:

Igor,
yes, it’s a client SSL cert.

You should have a CA certificate which is used to sign client
certificates.
This ceritificate should be declared on server level:

server {
listen 443;
ssl on;

ssl_client_certificate  ca-cert.pem;
ssl_verify_client       on;


Igor S.

Igor,
just to make sure I’m not misunderstanding you:

Usually, what happens is this:

I install an SSL cert (let’s call it certA) in a client browser, so I
can access https site A, which requires it.

But if I have a lot of clients, I’d ideally like to have nginx proxy
this cert, on behalf of my clients, so I don’t have to install it for
each of them. Are you saying that in order for nginx to proxy the cert,
I’ll first have to generate a CA cert on the server, and then sign the
client cert (certA) with it? Won’t this result in a self-signed
certificate warning every time a client tries to access site A?

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,200521,200672#msg-200672

On Wed, May 25, 2011 at 06:27:15AM -0400, urschrei wrote:

each of them. Are you saying that in order for nginx to proxy the cert,
I’ll first have to generate a CA cert on the server, and then sign the
client cert (certA) with it? Won’t this result in a self-signed
certificate warning every time a client tries to access site A?

nginx as a client does not currently support a client certificate
when it proxies a request to HTTPS backend (B). However, I do not see
any security advantage when many clients look like one for backend B.


Igor S.

nginx as a client does not currently support a
client certificate
when it proxies a request to HTTPS backend (B).
However, I do not see
any security advantage when many clients look like
one for backend B.

Thanks for clearing up the confusion. In this case, there would be no
security advantage even if the cert were individually installed, since
the same cert is issued to each client in the organisation, so whether
the cert is proxied or not really makes no difference.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,200521,200678#msg-200678

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs