对于作为欧洲电网基础设施(EGI)一部分的项目,我们需要对在Nginx上运行的服务进行SSL客户端证书验证.由于EGI中允许有几个根CA,我们需要Nginx在客户端证书验证期间检查它们. In the documentation of nginx我只能找到参数ssl_client_certificate,它允许只指定一个包含根证书的文件.
有没有办法在Nginx中为客户端证书验证指定多个根CA,还是我必须使用Apache?
This is a consideration为什么Nginx不支持目录中的ssl_client_certificate(就像Apache那样)
“Certificate file” vs “certificate path” difference isn’t about running something after updates of certificates or not (in both cases you have to update something,either cat to a single file or the c_rehash script to create symbolic links in case of CApath). The difference is about certificates in memory vs. certficates on disk,and the later implies syscalls and disk access on each certificate check.
As Nginx is designed to work under high loads,with many requests (and handshakes) per second,it uses CAfile variant. And as Nginx configuration reload is seamless,it’s unlikely the CApath variant will add any extra value.
Maxim Dounin
