2

I would like to verify a client certificate "custom" field directly with NGINX before returning it to the actual page.

As I understand from here: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client it's easily achievable for fields like subject DN, issuer DN , client searial, end date etc But is there a way to validate a custome field my CA is appending to the certificate?

Zakkojo
  • 21
  • 3

1 Answers1

1

By the way PKI works, nginx does not verify any of those data. It just verifies that the certificate is signed (directly or through intermediate certificates) by a trusted CA. It is the CA job to verify those data. Usually the last part of the subject DN (the CN or emailAddress part) is somehow verified.

nginx is able to extract some standard extensions from the certificate, but if you want to read the non standard ones you need to add the whole certificate as a header and send it to your application with something like:

proxy_set_header X-Client-Cert $ssl_client_escaped_cert
Piotr P. Karwasz
  • 5,292
  • 2
  • 9
  • 20
  • Thx Piotr for your answer. So if i have my own private CA i can ”group” my users withian intermediate CA but let say i need to move to a public CA this would mean everyone with a valid certificate signed by the same Public CA would pass the nginx certificate control or there’s another way to verify a group of certificates? – Zakkojo Dec 31 '19 at 00:06