Welcome! Log In Create A New Profile

Advanced

Different certificates and keys for server and client verification

Posted by spacerobot 
Hi,

I want my nginx listener to use SSL and do both server and client
verification. However, I want it to use different certificates and keys for
server vs client verification. The reason is that I want to use a properly
signed certificate for the server verification and a self signed certificate
for client verification (in order to manage allowed clients).

Is there a way to achieve this?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278466,278466#msg-278466

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Yes - SSL and Client certs are completely orthogonal. However nginx needs to know about whatever cert is used to sign the client certs. Each client can't create completely distinct self-signed certs; they have to be signed by an issuer that nginx trusts. The blog posts at [1] and [2] do a pretty good job outlining the process for client certs. Notice that they both basically start with creating a CA you are going to use to issue client certs.

[1] http://nategood.com/client-side-certificate-authentication-in-ngi
[2] https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

Jason

-----Original Message-----
From: nginx [mailto:[email protected]] On Behalf Of spacerobot
Sent: Friday, February 09, 2018 12:57 PM
To: nginx@nginx.org
Subject: [IE] Different certificates and keys for server and client verification

Hi,

I want my nginx listener to use SSL and do both server and client verification. However, I want it to use different certificates and keys for server vs client verification. The reason is that I want to use a properly signed certificate for the server verification and a self signed certificate for client verification (in order to manage allowed clients).

Is there a way to achieve this?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278466,278466#msg-278466

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail postmaster@equifax.com. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Sorry, only registered users may post in this forum.

Click here to login