Different certificates and keys for server and client verification

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Different certificates and keys for server and client verification

Andrzej Walas
Hi,

I want my nginx listener to use SSL and do both server and client
verification. However, I want it to use different certificates and keys for
server vs client verification. The reason is that I want to use a properly
signed certificate for the server verification and a self signed certificate
for client verification (in order to manage allowed clients).

Is there a way to achieve this?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278466,278466#msg-278466

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx
Reply | Threaded
Open this post in threaded view
|

RE: Different certificates and keys for server and client verification

Jason Whittington
Yes - SSL and Client certs are completely orthogonal.  However nginx needs to know about whatever cert is used to sign the client certs.  Each client can't create completely distinct self-signed certs; they have to be signed by an issuer that nginx trusts.   The blog posts at [1] and [2] do a pretty good job outlining the process for client certs.  Notice that they both basically start with creating a CA you are going to use to issue client certs.

[1] http://nategood.com/client-side-certificate-authentication-in-ngi
[2] https://arcweb.co/securing-websites-nginx-and-client-side-certificate-authentication-linux/

Jason

-----Original Message-----
From: nginx [mailto:[hidden email]] On Behalf Of spacerobot
Sent: Friday, February 09, 2018 12:57 PM
To: [hidden email]
Subject: [IE] Different certificates and keys for server and client verification

Hi,

I want my nginx listener to use SSL and do both server and client verification. However, I want it to use different certificates and keys for server vs client verification. The reason is that I want to use a properly signed certificate for the server verification and a self signed certificate for client verification (in order to manage allowed clients).

Is there a way to achieve this?

Thanks!

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,278466,278466#msg-278466

_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx

This message contains proprietary information from Equifax which may be confidential. If you are not an intended recipient, please refrain from any disclosure, copying, distribution or use of this information and note that such actions are prohibited. If you have received this transmission in error, please notify by e-mail [hidden email]. Equifax® is a registered trademark of Equifax Inc. All rights reserved.
_______________________________________________
nginx mailing list
[hidden email]
http://mailman.nginx.org/mailman/listinfo/nginx