How to specify multiple root certificates for nginx client certificate verification?
Solution 1:
Nginx supports multiple root certificates. Just put multiple root CA certificates into a file specified in the ssl_client_certificate
directive. Note the docs explicitly say "certificates" (plural).
This is a consideration why nginx doesn't support ssl_client_certificate in a directory (as Apache does)
"Certificate file" vs "certificate path" difference isn't about running something after updates of certificates or not (in both cases you have to update something, either cat to a single file or the c_rehash script to create symbolic links in case of CApath). The difference is about certificates in memory vs. certficates on disk, and the later implies syscalls and disk access on each certificate check.
As nginx is designed to work under high loads, with many requests (and handshakes) per second, it uses CAfile variant. And as nginx configuration reload is seamless, it's unlikely the CApath variant will add any extra value.
Maxim Dounin