How to Configure Nginx with Multiple Root Certificates for Client Certificate Verification


2 views

When implementing client certificate authentication in Nginx for environments like EGI (European Grid Infrastructure), you often need to support multiple root Certificate Authorities (CAs). The standard ssl_client_certificate directive only accepts a single file, which poses a problem when dealing with multiple trusted CAs.

The most straightforward solution is to concatenate all root CA certificates into a single file:

# Combine multiple CA certificates into one file
cat ca-root-1.pem ca-root-2.pem ca-root-3.pem > combined-ca.pem

Then reference this combined file in your Nginx configuration:

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_client_certificate /path/to/combined-ca.pem;
    ssl_verify_client on;
    ...
}

When using multiple CAs, you might need to adjust the verification depth:

ssl_verify_depth 2; # Allows intermediate certificates in the chain

For more complex scenarios, you can use OpenSSL's verify with multiple CA paths:

ssl_verify_client optional_no_ca;
location /secure-area {
    if ($ssl_client_verify != SUCCESS) {
        return 403;
    }
    # Additional OpenSSL verification can be done here
    ...
}

Here's how you might implement this for EGI's infrastructure:

# Download all EGI Trust Anchor certificates
wget https://repository.egi.eu/sw/production/cas/1/current/ca-bundle.pem

# Configure Nginx
server {
    ssl_client_certificate /etc/ssl/certs/egi-ca-bundle.pem;
    ssl_verify_client on;
    ssl_verify_depth 5;

    # Map client certificate DN to variables
    ssl_client_i_dn $ssl_client_i_dn;
    ssl_client_s_dn $ssl_client_s_dn;
}

When dealing with large CA bundles:

  • The combined file will be loaded into memory
  • Verification time increases with the number of CAs
  • Consider regularly updating the CA bundle
  1. Keep your CA bundle updated
  2. Monitor verification failures
  3. Consider separating frequently used CAs
  4. Document which CAs are included

If you encounter issues:

# Check certificate chain
openssl verify -CAfile combined-ca.pem client-cert.pem

# Examine Nginx error logs
tail -f /var/log/nginx/error.log

When implementing client certificate authentication in EGI (European Grid Infrastructure) ecosystems, we frequently encounter scenarios requiring validation against multiple root Certificate Authorities. The standard nginx ssl_client_certificate directive only accepts a single file containing the trusted CA certificate.

The most straightforward solution is to create a combined CA bundle file:

# Create combined CA bundle
cat ca-root1.pem ca-root2.pem ca-root3.pem > egi-ca-bundle.pem

# nginx configuration
ssl_client_certificate /etc/nginx/ssl/egi-ca-bundle.pem;
ssl_verify_client on;

For more granular control, use ssl_trusted_certificate alongside client verification:

ssl_trusted_certificate /etc/nginx/ssl/egi-trusted-cas.pem;
ssl_client_certificate /etc/nginx/ssl/egi-ca-bundle.pem;
ssl_verify_client optional_no_ca;
ssl_verify_depth 3;

When nginx acts as reverse proxy, consider offloading verification:

location / {
    proxy_pass http://backend;
    proxy_set_header X-SSL-Client-Verify $ssl_client_verify;
    proxy_set_header X-SSL-Client-DN $ssl_client_s_dn;
    if ($ssl_client_verify != SUCCESS) {
        return 403;
    }
}

Large CA bundles impact TLS handshake performance. Benchmark with:

openssl s_time -connect your.service:443 -cert client.pem -key client.key -CAfile egi-ca-bundle.pem

For dynamic CA management, consider Lua scripting or separate authentication service:

location /auth {
    access_by_lua_block {
        local ssl = require "ngx.ssl"
        local cert = ssl.get_client_certificate()
        -- Custom verification logic here
    }
}