How to specify multiple root certificates for nginx client certificate verification?

authentication certificate nginx ssl

Solution 1:

Nginx supports multiple root certificates. Just put multiple root CA certificates into a file specified in the ssl_client_certificate directive. Note the docs explicitly say "certificates" (plural).

This is a consideration why nginx doesn't support ssl_client_certificate in a directory (as Apache does)

"Certificate file" vs "certificate path" difference isn't about running something after updates of certificates or not (in both cases you have to update something, either cat to a single file or the c_rehash script to create symbolic links in case of CApath). The difference is about certificates in memory vs. certficates on disk, and the later implies syscalls and disk access on each certificate check.

As nginx is designed to work under high loads, with many requests (and handshakes) per second, it uses CAfile variant. And as nginx configuration reload is seamless, it's unlikely the CApath variant will add any extra value.

Maxim Dounin

Related

how to configure apache to view hidden (`.`) files?
Inexpensive Remote Assistance software? [closed]
Ethernet interface errors
Cron: Permission denied on everything
Nagios check service frequency based on service status
Correct Network IP addressing if your users have ability to VPN in
LDAP authentication for SonicWALL VPN
Why is creating a new TCP connection regarded as expensive?
AWS CLI throws "Unable to locate credentials", the second time it's run
Invalid command 'SSLOpenSSLConfCmd', perhaps misspelled or defined by a module not included in the server configuration
How do I convert a VMWare VMDK HDD file to a HyperV VHD file?
Why is iptables not blocking an ip address?