11

For a project as part of the European Grid Infrastructure (EGI) we need SSL client certificate verification for a service running on nginx. As there are several root CAs allowed within EGI, we need nginx to check them all during client certificate validation. In the documentation of nginx I could only find the parameter ssl_client_certificate which allows to specify just one file containing a root certificate.

Is there a way to specify more than one root CA for client certificate verification in nginx or do I have to use Apache for this?

Florian Feldhaus
  • 251
  • 2
  • 4
  • 11
  • There is currently an [ongoing discussion on the Nginx mailinglist on this topic](http://forum.nginx.org/read.php?2,229129,229129). It seems Nginx only supports one file and you have to concatenate all CA certificates into that file. An open question is, which approach gives faster response times and if Nginx should support CA lookup via hash based filenames. – Florian Feldhaus Aug 10 '12 at 09:31
  • Please note - your link is not valid anymore. – Ivan Kolmychek Mar 30 '17 at 09:15

1 Answers1

19

Nginx supports multiple root certificates. Just put multiple root CA certificates into a file specified in the ssl_client_certificate directive. Note the docs explicitly say "certificates" (plural).

This is a consideration why nginx doesn't support ssl_client_certificate in a directory (as Apache does)

"Certificate file" vs "certificate path" difference isn't about running something after updates of certificates or not (in both cases you have to update something, either cat to a single file or the c_rehash script to create symbolic links in case of CApath). The difference is about certificates in memory vs. certficates on disk, and the later implies syscalls and disk access on each certificate check.

As nginx is designed to work under high loads, with many requests (and handshakes) per second, it uses CAfile variant. And as nginx configuration reload is seamless, it's unlikely the CApath variant will add any extra value.

Maxim Dounin

Josh Correia
  • 103
  • 4
masegaloeh
  • 18,236
  • 10
  • 57
  • 106