Validate Client certificate SDN fields (CN, OU, O, etc..) at Nginx

addis_a · November 25, 2014, 4:20pm

Hi friends,
I’m trying to validate my client certificate SDN fields (CN, OU, O,
etc…) at Nginx server. I find so many internet resources for Apache but
not
Nginx. Does Nginx support validating SDN fields. BTW, I’m using Nginx
1.6.2.
Please help me in this.

Regards,
Sandeep

Posted at Nginx Forum:

sandeepkolla99 · November 25, 2014, 9:44pm

On Tue, Nov 25, 2014 at 10:19:35AM -0500, sandeepkolla99 wrote:

Hi there,

I'm trying to validate my client certificate SDN fields (CN, OU, O,
etc…) at Nginx server. I find so many internet resources for Apache but not
Nginx. Does Nginx support validating SDN fields. BTW, I’m using Nginx 1.6.2.

What do you understand by the term “validating SDN fields”?

Is it something different from what ssl_verify_client gives?

http://nginx.org/r/ssl_verify_client

You get some of the strings in variables, and you get the whole
certificate in other variables, if you want to do some other processing.

f

Francis D. [email protected]

sandeepkolla99 · November 26, 2014, 5:25pm

Hi Francis,
Thanks for your quickest response.

My nginx.cong is like this:

    ssl_certificate server.pem;
    ssl_certificate_key server.key;
    ssl_client_certificate ca.pem;
    ssl_verify_client on;

I’m able to verify client certificate successfully. Now, additionally I
want
perform the following three validations on client certificate

I want to check if

subject distinguished “OU” value of client certificate is some
“myOU”(its just an example string),
subject distinguished “O” value of client certificate is some
“myO”(its
just an example string),
subject distinguished “CN” value of client certificate is “myCN”
(its
just an example string).

I’m trying to find the nginx configuration statements to implement these
validations. Please let me know if I need to elaborate this further.

Regards,
Sandeep

Posted at Nginx Forum:

sandeepkolla99 · November 27, 2014, 9:10am

On Wed, Nov 26, 2014 at 11:24:45AM -0500, sandeepkolla99 wrote:

Hi there,

I’m able to verify client certificate successfully. Now, additionally I want
perform the following three validations on client certificate

You have $ssl_client_s_dn.

If you want to stay purely in nginx.conf, can you use “map” or another
regex match to extract the parts that you want into whatever variables
you want?

If you intend to use some backend processor (proxy_pass, fastcgi_pass),
then potentially you could send the variables or the certificate there
for validation.

Of you could use one of the embedded languages to access the same
variables.

I am not aware that stock nginx auto-creates extra variables beyond
those
which are in the documentation – if you want more, you do it yourself.

I’m trying to find the nginx configuration statements to implement these
validations. Please let me know if I need to elaborate this further.

Use “if” to compare (bits of) $ssl_client_s_dn with the thing you want,
and act accordingly.

f

Francis D. [email protected]