Hi,
My Nginx is setup for Mutual SSL and it works well for the below
nginx
configuration.
Hierarchy of certificates is RootCA
******************************** |
******************************** V
************************** IntermediateCA
******************************** |
******************************** V
***********************ClientCert ServerCert
But If I add ‘ssl_crl RootCACRL.pem’ or ‘ssl_crl IntermediateCRL.pem’ to
above configuration, I see the below error. By the way, RootCACRL.pem
and
IntermediateCRL.pem files doesn’t have any revoked certificates.
On Thu, Dec 11, 2014 at 02:03:35PM -0500, sandeepkolla99 wrote:
But If I add ‘ssl_crl RootCACRL.pem’ or ‘ssl_crl IntermediateCRL.pem’ to
above configuration, I see the below error. By the way, RootCACRL.pem and
IntermediateCRL.pem files doesn’t have any revoked certificates.
400 Bad Request
The SSL certificate error
nginx/1.6.2
The “ssl_crl” should contain CRLs for all certificates in the
chain, that is, both RootCA and IntermediateCA in your case.
There should be a message in the error log (at “info” level)
explaining what’s wrong.
Just combining IntermediateCRL.pem and RootCACRL.pem into a single
file and using it in the “ssl_crl” directive should fix this.
We’re in a similiar situation, but with many intermediate CAs and root
CAs
for all the possible client certificates we accept.
We have all of these concatenated into a single file for the
ssl_client_certificate directive.
We have CRLs for some of these and not for others.
Is there any way we configure nginx so it will honour the ones we have,
without requiring us to have a CRL for all of them?
We’ve tried combining the ones we have into a single file, and using
that in
the ssl_crl directive, but it still gives us a 400 Bad Request error.
With apache we were able to specify the directory they are all in, and
have
it process the ones we have.
Posted at Nginx Forum:
This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.