Opened 3 years ago

Closed 3 years ago

#2208 closed enhancement (wontfix)

time to add something like a SSLCertificateChainFile config option

Reported by: f1-outsourcing@… Owned by:
Priority: minor Milestone:
Component: nginx-core Version: 1.19.x
Keywords: Cc:
uname -a: Linux meet 4.4.0-201-generic #233-Ubuntu SMP Thu Jan 14 06:10:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: @meet:/var/log/nginx# nginx -V
nginx version: nginx/1.10.3 (Ubuntu)
built with OpenSSL 1.0.2g 1 Mar 2016
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wdate-time -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -Wl,-z,now' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/ --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_v2_module --with-http_sub_module --with-http_xslt_module --with-stream --with-stream_ssl_module --with-mail --with-mail_ssl_module --with-threads --add-module=/build/nginx-41auzt/nginx-1.10.3/debian/modules/nginx-auth-pam --add-module=/build/nginx-41auzt/nginx-1.10.3/debian/modules/nginx-dav-ext-module --add-module=/build/nginx-41auzt/nginx-1.10.3/debian/modules/nginx-echo --add-module=/build/nginx-41auzt/nginx-1.10.3/debian/modules/nginx-upstream-fair --add-module=/build/nginx-41auzt/nginx-1.10.3/debian/modules/ngx_http_substitutions_filter_module

Description (last modified by Maxim Dounin)

It would be great to be able to specify intermediate certs separately, just makes updating of the cert easier. Almost any application supports specifying cert separately.

Create new config option or maybe allow "ssl_certificate" to be specified multiple times?

Change History (1)

comment:1 by Maxim Dounin, 3 years ago

Description: modified (diff)
Resolution: wontfix
Status: newclosed

The certificate chain is more or less an integral part of a particular certificate, it should be kept and returned to clients along with the certificate itself. Using a single directive (and a single file) to specify both the certificate and the certificate chain is believed to be easier and less error prone, especially when using multiple certificates of different types.

Note well that updating of a certificate might require updating the chain as well, even if the certificate authority wasn't changed.

Note: See TracTickets for help on using tickets.