NGinx SSL certificate authentication signed by intermediate CA (chain)
I have to say its working fine for me with nginx/1.13.2, i.e.
- I have one root CA that signed two intermediate CAs
- both intermediates each signed a client
I concat the certs like
cat client-intermediate1.crt ca-client.crt > ca.chained1.crtandcat client-intermediate2.crt ca-client.crt > ca.chained2.crtandcat ca.chained1.crt ca.chained2.crt > ca.multiple.intermediate.crtif I only put ca.chained1.crt as
ssl_client_certificatethen only client1.crt can connect, likewise for ca.chained2.crt/client2.crt- when I use
ca.multiple.intermediate.crtthen both clients can connect
for revoking an intermediate, simply remove the cert chain from the ca.multiple.intermediate.crt
here is the relevant config. its also has high security settings
# minimum settings for ssl client auth
ssl_client_certificate /etc/ssl/ca.multiple.intermediate.crt;
ssl_verify_client on;
ssl_verify_depth 2;
# ssl high security settings (as of writing this post)
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
if you want to parse out the certs CN and pass it on to backend, then add this OUTSIDE the server {.. block
# parse out CN
map $ssl_client_s_dn $ssl_client_s_dn_cn {
default "should_not_happen";
~CN=(?<CN>[^,]+) $CN;
}
and INSIDE the block you can use it then
# add headers for backend containing SSL DN/CN
add_header X-SSL-client-s-dn $ssl_client_s_dn;
add_header X-SSL-client-s-dn_cn $ssl_client_s_dn_cn;
Have you tried increasing ssl_verify_depth directive? Docs say:
(it) sets a verification depth in the client certificates chain.
But your verify depth is 1. You say:
I have experimented with setting ssl_verify_depth explicitly to 1 (as above) and then even 0 (not sure what that number means exactly), but still get same error.
So, try 2 or 3..
PS:
Everywhere where I find this problem mentioned, its told to combine intermediate CA certificates with you server cert. into one file (as @vikas-nalwar suggested and you did) in order of verification (but i'm not sure if the order matters) and roughly speaking set ssl_verify_depth to number of certs in the bundle.
Edit: I had also this "problem", solution and explanation is at the bottom of the text.
It seemed like nginx doesn't support intermediate certificates. My certs self created: (RootCA is selfsigned, IntrermediateCA1 is signed by RootCA, etc.)
RootCA -> IntermediateCA1 -> Client1
RootCA -> IntermediateCA2 -> Client2
I want to use in nginx "IntermediateCA1", to allow access to site only to owner of the "Client1" certificate.
When I put to "ssl_client_certificate" file with IntermediateCA1 and RootCA, and set "ssl_verify_depth 2" (or more) , clients can login to site both using certificate Client1 and Client2 (should only Client1). The same result is when I put to "ssl_client_certificate" file with only RootCA - both clients can login.
When I put to "ssl_client_certificate" file with only IntermediateCA1, and set "ssl_verify_depth 1" (or "2" or more - no matter) , it is imposible to log in, I get error 400. And in debug mode i see logs:
verify:0, error:20, depth:1, subject:"/C=PL/CN=IntermediateCA1/[email protected]",issuer: "/C=PL/CN=RootCA/[email protected]"
verify:0, error:27, depth:1, subject:"/C=PL/CN=IntermediateCA1/[email protected]",issuer: "/C=PL/CN=RootCA/[email protected]"
verify:1, error:27, depth:0, subject:"/C=PL/CN=Client1/[email protected]",issuer: "/C=PL/CN=IntermediateCA1/[email protected]"
(..)
client SSL certificate verify error: (27:certificate not trusted) while reading client request headers, (..)
I thing this is a bug. Tested on Ubuntu, nginx 1.1.19 and 1.2.7-1~dotdeb.1, openssl 1.0.1. I see that nginx 1.3 has few more options about using client certificates, but I'dont see solution to this problem.
Currently, the only one way to separate clients 1 and 2 is to create two, selfsigned RootCAs, but this is only workaround..
Edit 1: I've reported this issue here: http://trac.nginx.org/nginx/ticket/301
Edit 2" *Ok, it's not a bug, it is feature ;)*
I get response here: http://trac.nginx.org/nginx/ticket/301 It is working, you must only check what your ssl_client_i_dn is (. Instead of issuer you can use also subject of certificate, or what you want from http://wiki.nginx.org/HttpSslModule#Built-in_variables
This is how certificate verification works: certificate must be verified up to a trusted root. If chain can't be built to a trusted root (not intermediate) - verification fails. If you trust root - all certificates signed by it, directly or indirectly, will be successfully verified.
Limiting verification depth may be used if you want to limit client certificates to a directly issued certificates only, but it's more about DoS prevention, and obviously it can't be used to limit verificate to intermediate1 only (but not intermediate2).
What you want here is some authorization layer based on the verification result - i.e. you may want to check that client's certificate issuer is intermediate1. Simplest solution would be to reject requests if issuer's DN doesn't match one allowed, e.g. something like this (completely untested):
[ Edit by me, it is working correctly in my configuration ]
server {
listen 443 ssl;
ssl_certificate ...
ssl_certificate_key ...
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
ssl_verify_depth 2;
if ($ssl_client_i_dn != "/C=PL/CN=IntermediateCA1/[email protected]") {
return 403;
}
}