Does Nginx allow to specify multiple root certificates for client certificate verification?

For a project as part of the European Grid Infrastructure (EGI) we need
SSL client certificate verification for a service running on nginx. As
there are several root CAs allowed within EGI, we need nginx to check
them all during client certificate validation. In the documentation of
nginx I could only find the parameter ssl_client_certificate which
allows to specify just one file containing a root certificate.

Is there a way to specify more than one root CA for client certificate
verification in nginx or do I have to use Apache for this?

Posted at Nginx Forum:

Hello!

On Tue, Jul 31, 2012 at 05:43:31AM -0400, ffeldhaus wrote:

For a project as part of the European Grid Infrastructure (EGI) we need
SSL client certificate verification for a service running on nginx. As
there are several root CAs allowed within EGI, we need nginx to check
them all during client certificate validation. In the documentation of
nginx I could only find the parameter ssl_client_certificate which
allows to specify just one file containing a root certificate.

Is there a way to specify more than one root CA for client certificate
verification in nginx or do I have to use Apache for this?

Yes. Just put multiple root CA certificates into a file specified
in the ssl_client_certificate directive.

Note the docs explicitly say “certificates” (plural), see
Module ngx_http_ssl_module.

Maxim D.

Hi,

Maxim D. Wrote:

there are several root CAs allowed within EGI,
verification in nginx or do I have to use Apache
for this?

Yes. Just put multiple root CA certificates into
a file specified
in the ssl_client_certificate directive.

Note the docs explicitly say “certificates”
(plural), see
Module ngx_http_ssl_module.

I had hoped there would be another way. Putting the currently 105
certificates in one file may work, but the problem is, that the
certificates may change and with 105 CA certificates at the moment the
chance that a certificate is updated/revoked is not negligible anymore.
I could write a cron job to update the single certificate file after
each update, but it would be much easier if nginx would support multiple
CA certificate files out of the box. For Apache there is a directive
called SSLCACertificatePath to do just this. Do you think this could be
a feature worth implementing in Nginx? If so, how could I help?

Florian Feldhaus

Posted at Nginx Forum:

Hello!

On Tue, Jul 31, 2012 at 11:21:26AM -0400, ffeldhaus wrote:

Infrastructure (EGI) we need

(plural), see
Module ngx_http_ssl_module.

I had hoped there would be another way. Putting the currently 105
certificates in one file may work, but the problem is, that the
certificates may change and with 105 CA certificates at the moment the
chance that a certificate is updated/revoked is not negligible anymore.

If CA certificate is updated/revoked it probably needs some double
checking by a human anyway. Updating the file and asking nginx to
reload it’s config isn’t going to be a big deal then.

I could write a cron job to update the single certificate file after
each update, but it would be much easier if nginx would support multiple
CA certificate files out of the box. For Apache there is a directive
called SSLCACertificatePath to do just this. Do you think this could be
a feature worth implementing in Nginx? If so, how could I help?

“Certificate file” vs “certificate path” difference isn’t about
running something after updates of certificates or not (in both
cases you have to update something, either cat to a single file or
the c_rehash script to create symbolic links in case of CApath).
The difference is about certificates in memory vs. certficates on
disk, and the later implies syscalls and disk access on each
certificate check.

As nginx is designed to work under high loads, with many requests
(and handshakes) per second, it uses CAfile variant. And as nginx
configuration reload is seamless, it’s unlikely the CApath variant
will add any extra value.

Maxim D.

Maxim D. Wrote:

them all during client certificate
verification in nginx or do I have to use
Module ngx_http_ssl_module.
If CA certificate is updated/revoked it probably
needs some double
checking by a human anyway. Updating the file and
asking nginx to
reload it’s config isn’t going to be a big deal
then.

I don’t agree. For most Linux distributions you get a list of CA
certificates automatically installed and they are often updated
transparent to the administrator. For EGI this is even more true, as
there is a secure, certified way how certificates are created / updated
/ removed by a daily cron job. Again, this is transparent to the user.

disk, and the later implies syscalls and disk
access on each
certificate check.

As nginx is designed to work under high loads,
with many requests
(and handshakes) per second, it uses CAfile
variant. And as nginx
configuration reload is seamless, it’s unlikely
the CApath variant
will add any extra value.

I disagree. The fastest way to do a lookup is to use the hash based
filename lookup. If there are lots of certificates in one file, the
lookup will take a lot longer then the creation of a hash for the CA to
be looked up and then the lookup using the hash based filenames of the
CA certificates. It would be interesting to see why the Apache guys are
using the hash based CA lookup and also a profiling of file vs.
directory based CA lookup. If I find the time, I will measure the
response time for Apache using both methods and compare them to Nginx.

Cheers,
Florian

Posted at Nginx Forum: