Can I validate client certificates signed with different root certificates in nginx?

Question

Preface: I'm new to certificate validation

I've configured an nginx website as a reverse proxy, which validates client certificates. Without all the other specifics, this is the config that I used:

ssl_client_certificate /etc/ssl/ca/certs/si-trust-root.pem;
ssl_trusted_certificate /etc/ssl/ca/certs/si-trust-root.pem;
ssl_verify_client on;
ssl_verify_depth 3;

Inside si-trust-root.pem is an intermediate and the root certificate. After successful validation and some additional backend magic, the user is logged into the website.

The "problem" is that I will have to validate client certificates signed with different root certificates. Is this possible in nginx, or in any other reverse proxy software (eg apache)?

From what I've gathered, it's only possible to do this in nginx with different server blocks. If nothing else works, this is what I'll probably do.

Answer 1

It should work by concatenating the CA certificates in a single file.

See these questions:

• nginx, ssl_trusted_certificate and multiple certificates
• How to specify multiple root certificates for nginx client certificate verification?