Opened 6 weeks ago

Closed 5 weeks ago

#2106 closed enhancement (wontfix)

How can I read Subject Alternative name from client certificate?

Reported by: stackoverflow12301230@… Owned by:
Priority: major Milestone:
Component: nginx-module Version: 1.6.x
Keywords: Subject Alternative Name Cc:
uname -a: N/A
nginx -V: N/A


How can I read Subject Alternative name from client certificate? Currently, to the best of our knowledge, no variable defined in SSL module can extract this information. It would be nice to have a variable similar to $ssl_client_s_dn for this specific field or a general variable for the full certificate.

Change History (3)

comment:1 by Maxim Dounin, 6 weeks ago

The full certificate in PEM format is available in the $ssl_client_raw_cert variable (and the $ssl_client_escaped_cert is an escaped version suitable for proxy_set_header if you need to pass it to a backend for parsing). If you want to extract subject alternative names from a certificate, you certainly can do so using the $ssl_client_raw_cert and your favorite language to do appropriate parsing.

If you want nginx to provide some native variable (or variables) for subject alternative names, please elaborate how you expect it to work (note that there can be multiple alternative names of different types) and how you expect it to be used.

comment:2 by stackoverflow12301230@…, 6 weeks ago

@Maxim: As per my use case, I want to retrieve SAN from user certificate and pass it to backend servers as header using proxy_pass.

something like this: proxy_set_header SAN $ssl_client_escaped_cert_san;

The content of $ssl_client_escaped_cert is not readable. How can I parse it and extract SAN inside NGINX.conf and pass same to backend server?

comment:3 by Maxim Dounin, 5 weeks ago

Resolution: wontfix
Status: newclosed

The $ssl_client_escaped_cert is a client certificate in PEM format, additionally urlencoded. To parse it, consider using your favorite programming language and its functions. I would recommend to pass it to the backend server and parse it on the backend server. If you want to do this in nginx itself rather than on the backend server, Perl and njs modules are available, as well as various 3rd party modules providing other languages.

Note: See TracTickets for help on using tickets.