This may be a dumb ssl question, but here goes

Can I install and configure nginx to use a “public”/global CA’s SSL
Certificate like Verisign, AND force (require) the use of client SSL
certificates, AND allow those client/browser-certificates to be from a
different CA/root? For example, openca or some self-signed setup that I
use to just distribute client certificates to my registered users?

Let me know if I am not asking the question correctly.

Thanks,
AJ

I think I might have found my answer to this.

I can generate my own (or use any different) CA and add that in
ssl_client_certificate ;
And then set ssl_verify_client on;

This appears to work in initial testing. So my follow-up is:

  1. Does this sound like the way to make my original question work?
  2. Can I revoke certificates, and will nginx check a revocation list of
    some kind?

Thanks again,
AJ

Hello!

On Wed, Oct 10, 2012 at 05:16:12PM -0400, AJ Weber wrote:

I think I might have found my answer to this.

I can generate my own (or use any different) CA and add that in
ssl_client_certificate ;
And then set ssl_verify_client on;

This appears to work in initial testing. So my follow-up is:

  1. Does this sound like the way to make my original question work?

Yes.

  1. Can I revoke certificates, and will nginx check a revocation list
    of some kind?

http://nginx.org/r/ssl_crl

example, openca or some self-signed setup that I use to just
[email protected]
http://mailman.nginx.org/mailman/listinfo/nginx


Maxim D.
http://nginx.com/support.html

I didn’t double-check yet, but it looks like if I set this up, and the
client does not have a client-side certificate, nginx is returning
either a 400 (or more likely a 403)? Is there any way I can be entirely
“rude” and re-map the return code if you do not have a client
certificate to 444?

Thanks again,
AJ

Hello!

On Thu, Oct 11, 2012 at 11:35:16AM -0400, AJ Weber wrote:

I didn’t double-check yet, but it looks like if I set this up, and
the client does not have a client-side certificate, nginx is
returning either a 400 (or more likely a 403)? Is there any way I
can be entirely “rude” and re-map the return code if you do not have
a client certificate to 444?

The answer is on the very same page:
http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors


Maxim D.
http://nginx.com/support.html

I noticed that, but it appears to require a page / uri. I think the
special 444 should not return content, if I am reading its design
correctly.

-Aaron

Hello!

On Thu, Oct 11, 2012 at 06:07:44PM -0400, Aaron wrote:

I noticed that, but it appears to require a page / uri. I think
the special 444 should not return content, if I am reading its
design correctly.

This is because anything in nginx requires an uri. But it’s up to
you to not return content for the uri, like this:

error_page 496 = /nocert;

location = /nocert {
    return 444;
}

See here for details:

http://nginx.org/r/error_page
http://nginx.org/r/location
http://nginx.org/r/return


Maxim D.
http://nginx.com/support.html

So far, I am loving nginx. :slight_smile:

Thanks!

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs