Hello.
I'm not sure about what do you really need, but it looks like you can
get almost the same result using a combination of map{} blocks and
conditionals.
Something like this:
map $ssl_client_s_dn $ou_matched {
~OU=whatever 1;
default 0;
}
map $ssl_client_s_dn $cn_matched {
~CN=whatever 1;
default 0;
}
map $ou_verified$cn_verified $unauthed {
~0 1
default 0;
}
server {
....
ssl_trusted_certificate path/to/public/certs;
ssl_verify_client on;
if ($unauthed) {return 403;}
}
On 28.02.2018 16:39, rai...@ultra-secure.de wrote:
Hi,
it seems most examples, even for apache, seem to assume that the
client certificates are issued by your own CA.
In this case, you just need to check if your certificates were issued
by this CA - and if they're not, it's game over.
However, I may have a case where the CA is a public CA and the client
certificates need to be verified down to the correct O and OU.
How do you do this with nginx?
Something along these lines:
https://www.tbs-certificates.co.uk/FAQ/en/183.html
Best Regards
Rainer
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
