Home > Blockchain >  Need Certificate chain (on the incoming interface) from Nginx
Need Certificate chain (on the incoming interface) from Nginx

Time:11-17

I am using a setup wherein a chain certificate(Root CA Cert-> Intermediate CA Cert -> Client Cert) is being sent to the Nginx. I need to configure Nginx in such a way that it forwards the entire certificate chain to the middleware. Right now, it is just sending the leaf certificate i.e. client certificate. I found the following options from the Nginx's documentation (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_client_certificate) 1- $ssl_client_escaped_cert 2- $ssl_client_cert

None of the above returns the full certificate chain. Is anyone aware if there is such an option available ?

CodePudding user response:

This seems to be impossible by design - see https://serverfault.com/questions/576965/nginx-proxy-pass-with-a-backend-requesting-client-certificates

The usage of $ssl_client_escaped_cert (as explained in https://clairekeum.wordpress.com/2018/12/05/passing-client-cert-through-nginx-to-the-backend/) seems to be your only option.

CodePudding user response:

This may not be a complete answer, but thought I'd post some resources that may give you a couple of ideas.

If you want the client cert details downstream, then one option is to avoid terminating Mutual TLS in nginx by using the stream module. Here is an example:

In this setup there are 2 Mutual TLS connections being routed via nginx:

  • To authenticate with an Authorization Server - where Mutual TLS is not handled by nginx
  • To call an API with a certificate bound access token - where nginx terminates TLS

Note that this uses a LUA plugin and the ssl_client_raw_cert property to do the extra work of calculating a SHA256 thumbprint, which NGINX itself does not support.

Generally though it makes sense to externalise Mutual TLS plumbing from application level components, as in the above example. Eg you can forward ssl_client_eacaped_cert to your middleware, but perhaps nginx should do the more detailed work of checking issuers.

  • Related