Can I install and configure nginx to use a “public”/global CA’s SSL
Certificate like Verisign, AND force (require) the use of client SSL
certificates, AND allow those client/browser-certificates to be from a
different CA/root? For example, openca or some self-signed setup that I
use to just distribute client certificates to my registered users?
Let me know if I am not asking the question correctly.
Thanks,
AJ
I think I might have found my answer to this.
I can generate my own (or use any different) CA and add that in
ssl_client_certificate ;
And then set ssl_verify_client on;
This appears to work in initial testing. So my follow-up is:
Thanks again,
AJ
Hello!
On Wed, Oct 10, 2012 at 05:16:12PM -0400, AJ Weber wrote:
I think I might have found my answer to this.
I can generate my own (or use any different) CA and add that in
ssl_client_certificate ;
And then set ssl_verify_client on;This appears to work in initial testing. So my follow-up is:
- Does this sound like the way to make my original question work?
Yes.
- Can I revoke certificates, and will nginx check a revocation list
of some kind?
example, openca or some self-signed setup that I use to just
[email protected]
nginx Info Page
–
Maxim D.
I didn’t double-check yet, but it looks like if I set this up, and the
client does not have a client-side certificate, nginx is returning
either a 400 (or more likely a 403)? Is there any way I can be entirely
“rude” and re-map the return code if you do not have a client
certificate to 444?
Thanks again,
AJ
Hello!
On Thu, Oct 11, 2012 at 11:35:16AM -0400, AJ Weber wrote:
I didn’t double-check yet, but it looks like if I set this up, and
the client does not have a client-side certificate, nginx is
returning either a 400 (or more likely a 403)? Is there any way I
can be entirely “rude” and re-map the return code if you do not have
a client certificate to 444?
The answer is on the very same page:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors
–
Maxim D.
I noticed that, but it appears to require a page / uri. I think the
special 444 should not return content, if I am reading its design
correctly.
-Aaron
Hello!
On Thu, Oct 11, 2012 at 06:07:44PM -0400, Aaron wrote:
I noticed that, but it appears to require a page / uri. I think
the special 444 should not return content, if I am reading its
design correctly.
This is because anything in nginx requires an uri. But it’s up to
you to not return content for the uri, like this:
error_page 496 = /nocert;
location = /nocert {
return 444;
}
See here for details:
http://nginx.org/r/error_page
http://nginx.org/r/location
http://nginx.org/r/return
–
Maxim D.
So far, I am loving nginx. 
Thanks!
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.
Sponsor our Newsletter | Privacy Policy | Terms of Service | Remote Ruby Jobs