Opened 2 years ago
Closed 2 years ago
Last modified 13 months ago
#2106 closed enhancement (wontfix)
How can I read Subject Alternative name from client certificate?
|Reported by:||Owned by:|
|Keywords:||Subject Alternative Name||Cc:|
How can I read Subject Alternative name from client certificate? Currently, to the best of our knowledge, no variable defined in SSL module can extract this information. It would be nice to have a variable similar to $ssl_client_s_dn for this specific field or a general variable for the full certificate.
Change History (4)
comment:1 by , 2 years ago
comment:2 by , 2 years ago
@Maxim: As per my use case, I want to retrieve SAN from user certificate and pass it to backend servers as header using proxy_pass.
something like this: proxy_set_header SAN $ssl_client_escaped_cert_san;
The content of $ssl_client_escaped_cert is not readable. How can I parse it and extract SAN inside NGINX.conf and pass same to backend server?
comment:3 by , 2 years ago
|Status:||new → closed|
The $ssl_client_escaped_cert is a client certificate in PEM format, additionally urlencoded. To parse it, consider using your favorite programming language and its functions. I would recommend to pass it to the backend server and parse it on the backend server. If you want to do this in nginx itself rather than on the backend server, Perl and njs modules are available, as well as various 3rd party modules providing other languages.
comment:4 by , 13 months ago
See also #2355.
The full certificate in PEM format is available in the $ssl_client_raw_cert variable (and the
$ssl_client_escaped_certis an escaped version suitable for
proxy_set_headerif you need to pass it to a backend for parsing). If you want to extract subject alternative names from a certificate, you certainly can do so using the
$ssl_client_raw_certand your favorite language to do appropriate parsing.
If you want nginx to provide some native variable (or variables) for subject alternative names, please elaborate how you expect it to work (note that there can be multiple alternative names of different types) and how you expect it to be used.