0

I have generated the certificates as given below:

Root-CA  ->  Intermediate-CA  ->  Server

Root-CA:
rootca.key
rootca.crt
rootca.crl

Intermediate-CA:
intermediateca.key
intermediateca.crt
intermediateca.crl

Server:
server.key
server.crt

Here, Root-CA Signed by Root-CA which is Self-Signed Certificate.

Then, Intermediate-CA Signed by Root-CA and Server Signed by Intermediate-CA

All the above files are in confs folder

Nginx conf:

server {
        listen 443 ssl;
        listen [::]:443 SSL;
        server_name www.example.com;

        ssl_certificate  /home/user/confs/?;
        ssl_certificate_key /home/user/confs/?;

        ssl_ocsp on;
        ssl_verify_client on;
        ssl_verify_depth 2;
        ssl_client_certificate /home/user/confs/?;
        ssl_crl /home/user/confs/?;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /home/user/confs/?;
}

What files are will be in ?. Can anyone please help me with the Nginx configuration. Thank you for your time.

soup
  • 76
  • 4

1 Answers1

0

Try:

server {
        listen 443 ssl;
        listen [::]:443 SSL;
        server_name www.example.com;

        ssl_certificate  /home/user/confs/server_chain.crt;
        ssl_certificate_key /home/user/confs/server.key;

        ssl_ocsp on;
        ssl_verify_client on;
        ssl_verify_depth 2;
        ssl_client_certificate /home/user/confs/rootca.crt;
        ssl_crl /home/user/confs/intermediateca.crl;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /home/user/confs/rootca.crt;
}

Where server_chain.pem is a concatenation of server.crt and intermediateca.crt (server at the top of the file).

ssl_client_certificate and ssl_trusted_certificate are mutually exclusive. More info here.

ssl_crl is pointing to your intermediateca.crl on the assumption that this Intermediate CA is issuing the client certificates.

garethTheRed
  • 4,539
  • 14
  • 22
  • Sorry ```server.crl``` is a mistake. Question is updated by removing ```server.crl``` – soup Aug 19 '22 at 02:48
  • I have configure Nginx.conf as your suggestion but I am getting an error ```400 Bad Request No required SSL certificate was sent``` – soup Aug 19 '22 at 02:51
  • You have the server set to expect a client certificate (`ssl_verify_client on`). Did your client send a certificate? Please see my comment on `ssl_crl` above - the answer _assumed_ that your Intermediate CA generated this client certificate. However, your list of generated certificate doesn't include one. – garethTheRed Aug 19 '22 at 05:07
  • These are Self-Signed Certificates. Question is updated. Is client certificate is the `server.crt`? – soup Aug 19 '22 at 06:03
  • The Root CA is self-signed - the others are not. The client certificate is, as the name suggests, the certificate which the client sends to the server as part of _mutual_ authentication. The `400` error message you received was because your client didn't send the expected client certificate. You either need to give the client a certificate whose Root CA is in `ssl_client_certificate` or you need to disable mutual authentication. – garethTheRed Aug 19 '22 at 10:26
  • This sounds like a different question to me - it has nothing to do with Nginx. Maybe you should accept the answer to this question and ask another about revoked certificates? – garethTheRed Aug 19 '22 at 16:52
  • I am getting errors, not solved yet. – soup Aug 19 '22 at 16:58
  • With `ssl_verify_client on;`, I am getting an error `400 Bad Request No required SSL certificate was sent`. Without `ssl_verify_client on;`, I can access to the web server. How to create a client certificate? What is `ssl_verify_depth 2;`? – soup Aug 19 '22 at 17:47
  • Do you need a client certificate? If not, there's no need to create one! – garethTheRed Aug 19 '22 at 21:00