Opened 3 weeks ago

Last modified 3 weeks ago

#2297 new enhancement

Nginx does not provide option to read the certificate chain

Reported by: MandeepSinghChhabra@… Owned by:
Priority: minor Milestone:
Component: nginx-module Version: 1.19.x
Keywords: Cc: MandeepSinghChhabra@…
uname -a: Linux 71de78ac83ec 5.11.0-41-generic #45~20.04.1-Ubuntu SMP Wed Nov 10 10:20:10 UTC 2021 x86_64 Linux
nginx -V: nginx version: nginx/1.21.4
built by gcc 10.3.1 20210424 (Alpine 10.3.1_git20210424)
built with OpenSSL 1.1.1l 24 Aug 2021
TLS SNI support enabled


There is a server which has two known local CAs. One is a root ca (which is a self signed ca) and the other is an intermediate ca , signed by the root ca. Intermediate CA has issued a client certificate which is
shared with the client along with the chain(intermediate + root).

The chain looks as following:

ClientCert -> IntermediateCACert -> RootCACert

root ca certificate is the CA certificate which has been added in the trusted CA certificate list for the web.

From the client side, the chain is being used to establish the connection with the server. The connection gets established successfully.

Nginx does the SSL termination. Although there are options to fetch the client certificate (only the leaf certificate, using variable ssl_client_cert), there is no way to get the entire chain of certificates from Nginx.

Change History (1)

comment:1 by Maxim Dounin, 3 weeks ago

For the record, the reporter submitted a patch to address this. Here is the initial review. The main question is:

You may want to be more specific about which problem you are trying to solve. In particular, all root and intermediate certificates are expected to be known on the server. If they aren't for some reason, it might be a good idea to clarify why they aren't known or reconsider particular configuration.

Note: See TracTickets for help on using tickets.