Opened 3 months ago

Closed 3 months ago

#1975 closed defect (wontfix)

Certificates in ssl_trusted_certificate doesn't have to be CA, docs say otherwise

Reported by: Forkest@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.19.x
Keywords: Cc:
uname -a:
nginx -V: -

ssl_trusted_certificate and ssl_client_certificate descriptions say "Specifies a file with trusted CA certificates".

In practice it accepts self-signed certs that are not CA and it's an absolutely valid use case (whitelist of allowed self-signed certs), just the documentation is misleading.

It should either drop that "CA" bit or be reworded to something that doesn't imply that they have to be CA.

Change History (1)

comment:1 by Maxim Dounin, 3 months ago

Resolution: wontfix
Status: newclosed

While strictly speaking you are right, and this can be used as a simple list of self-signed certificates without the CA bit, this is not the intended use case given the PKI idea behind the SSL certificates.

Further, this is how it is documented in the SSL_CTX_load_verify_locations() function nginx is using:

       SSL_CTX_load_verify_locations - set default locations for trusted CA

I suspect that the idea is that any self-signed cert can be consider to be a CA for itself, and hence it is a CA regardless of the CA bit. Note well that the documentation does not talk about "CA bit", it says "CA certificates", much like the OpenSSL documentation above.

Wikipedia authors seems to think in the same way, quoting the Certificate_authority article:

Any site using self-signed certificates acts as its own CA.

Given the above, I don't think documentation changes are needed. If you still think they are, consider submitting a patch for the documentation.

Note: See TracTickets for help on using tickets.