Opened 3 years ago
Closed 3 years ago
#1975 closed defect (wontfix)
Certificates in ssl_trusted_certificate doesn't have to be CA, docs say otherwise
|Reported by:||Owned by:|
ssl_trusted_certificate and ssl_client_certificate descriptions say "Specifies a file with trusted CA certificates".
In practice it accepts self-signed certs that are not CA and it's an absolutely valid use case (whitelist of allowed self-signed certs), just the documentation is misleading.
It should either drop that "CA" bit or be reworded to something that doesn't imply that they have to be CA.
Change History (1)
comment:1 by , 3 years ago
|Status:||new → closed|
Note: See TracTickets for help on using tickets.
While strictly speaking you are right, and this can be used as a simple list of self-signed certificates without the CA bit, this is not the intended use case given the PKI idea behind the SSL certificates.
Further, this is how it is documented in the SSL_CTX_load_verify_locations() function nginx is using:
I suspect that the idea is that any self-signed cert can be consider to be a CA for itself, and hence it is a CA regardless of the CA bit. Note well that the documentation does not talk about "CA bit", it says "CA certificates", much like the OpenSSL documentation above.
Wikipedia authors seems to think in the same way, quoting the Certificate_authority article:
Given the above, I don't think documentation changes are needed. If you still think they are, consider submitting a patch for the documentation.