Supposing I have a nginx server with mtls enabled. The nginx instance works ok for the client certificates already configured. Is there any way to add extra client certificates (newly registered_ without restarting the server? If not are there any servers or software solutions that resolve certificates dynamically?
Asked
Active
Viewed 375 times
0
-
1(1) [nginx can reload its configuration without restarting](http://nginx.org/en/docs/control.html) (2) if you issue client certs under one or few CA(s) and trust _them_, you don't need to change the server config; that's how PKI is _intended_ to work – dave_thompson_085 Jul 25 '19 at 01:53
-
Hi thank you for your reply. Regardless of server implementation, supposing clients submit their csrs and our infrstructure signs them, and gives back their certificates. Are there any open source solutions our there that update the servers mtls? Therefore no extra configuration needed. – gkatzioura Jul 25 '19 at 09:06
-
Certificates are _not_ created by signing CSRs; that is an error repeated endlessly by people who don't know what they are talking about. But if you run a CA that accepts CSRs from the desired clients and issues certs to them, and you configure nginx to trust (only) the _CA_ root, it will (without updating) validate (clients using) all certs issued under that CA. Well, except if the child certs expire, and then you need to have the clients replace them, but your CA can make expiration as long as you want, unlike public CAs which are limited to 2-3 years at most. ... – dave_thompson_085 Aug 01 '19 at 09:27
-
... There are many opensource programs you can use to run your own CA, ranging from basic (like OpenSSL's commandline command `ca`) to glitzy and complicated. (Personally I like basic.) I've seen Qs on quite a few of them, IIRC mostly in security.SX or superuser.com or serverfault.com or maybe unix.SX, since that is really an operations Q not a programming Q. – dave_thompson_085 Aug 01 '19 at 09:31