Forum: NGINX SSL client verification with chained CA

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
B7462bed943f6129ce57e557241421af?d=identicon&s=25 Marcin Deranek (Guest)
on 2012-10-30 11:17
(Received via mailing list)
Hi,

So far we were able to run nginx (1.0.x & 1.2.x) with SSL client
verification enabled where certs were signed by single root CA:

ssl  on;
ssl_certificate  server_cert_signed_by_CA.pem;
ssl_certificate_key  server_key.pem;
ssl_client_certificate  ca_cert.pem;
ssl_verify_client  optional;

Now we would like to introduce chained CAs:

root CA -> intermediate CA -> client cert

so nginx should be able to verify client certificates which are signed
by intermediate CA. Unfortunately I was not able make it working (I see
that development version 1.3.x has some additional options which would
suggest that this setup can work with it). Is this setup possible with
nginx 1.2.x ?
Some other people had identical problem:
http://stackoverflow.com/questions/8431528/nginx-s...

SSL module documentation (http://wiki.nginx.org/HttpSslModule)
mentions that SSL module "supports checking client certificates with two
limitations" whereas 2nd limitation seems to be related to server
cetificate rather than client certificate. Is this a bad wording or am
I missing something there ?
Regards,

Marcin
B7462bed943f6129ce57e557241421af?d=identicon&s=25 Marcin Deranek (Guest)
on 2012-10-30 12:39
(Received via mailing list)
On Tue, 30 Oct 2012 11:17:41 +0100
Marcin Deranek <marcin.deranek@booking.com> wrote:

> would suggest that this setup can work with it). Is this setup
> possible with nginx 1.2.x ?

I have enabled additional debugging and got this in logs:

client SSL certificate verify error: (26:unsupported certificate
purpose) while SSL handshaking

Looks like our security team needs to re-generate certificates.
I'm sorry for the noise.

Marcin
This topic is locked and can not be replied to.