id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 1902 Can not use ssl_trusted_certificate to verify Clients jkman340@… "In my config, I set the following to validate client certificates ssl_verify_client on; ssl_trusted_certificate /usr/local/nginx/ssl/ca.crt; ssl_crl /usr/local/nginx/ssl/crl.pem; The server fails to start with error: nginx: [emerg] no ssl_client_certificate for ssl_verify_client If I change the configuration to the following, the server starts. ssl_verify_client on; ssl_client_certificate /usr/local/nginx/ssl/ca.crt; ssl_crl /usr/local/nginx/ssl/crl.pem; I am not using OSCP or stapling, just verification against a CA/CRL. Reading thru the Docs, the description for both of the options 'ssl_trusted_certificate' and 'ssl_client_certificate' are the same. ""Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled."" The only difference is if the list of certificates is sent to the client. " defect new minor other 1.17.x Linux dev-02 4.4.0-170-generic #199-Ubuntu SMP Thu Nov 14 01:45:04 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux "nginx version: nginx/1.17.6 built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.12) built with OpenSSL 1.1.1d 10 Sep 2019 TLS SNI support enabled configure arguments: --with-openssl=/usr/local/src/nginx/openssl-1.1.1d --without-http_ssi_module --without-http_userid_module --without-http_geo_module --without-http_auth_basic_module --without-http_fastcgi_module --without-http_uwsgi_module --without-http_scgi_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-pcre --with-http_ssl_module --with-stream --with-stream_ssl_module "