ssl_client_certificate
The ssl_client_certificate directive specifies the file containing the trusted CA certificates for client certificate verification.
Description
The ssl_client_certificate directive is used in the NGINX configuration to set a path to a file containing trusted Certificate Authority (CA) certificates for verifying client certificates during SSL/TLS connections. This directive is typically employed in configurations that require mutual TLS authentication, where clients must present a valid certificate signed by a trusted CA to establish a connection with the server.
When this directive is configured, NGINX utilizes the specified certificate authority list to authenticate client certificates presented during the SSL handshake. The validation process checks if the client certificate’s issuing CA is in the provided file. If the validation succeeds, the client is allowed to proceed; otherwise, the connection can be terminated or further actions may be applied based on additional configuration settings.
It is important to ensure that the file specified contains valid CA certificates and that the proper permissions are set so that NGINX can read the file. The directive can be set at the http or server context, adapting to the specific requirements of the application. Note that if there are multiple client certificates to trust, this configuration can point to a single file containing all the necessary CA certificates, ensuring a seamless validation process for multiple client identities.
Config Example
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_client_certificate /etc/nginx/ssl/ca.crt;
ssl_verify_client on;
}Ensure the certificate file path is correct and accessible by the NGINX process.
Check for correct permissions on the CA certificate file.
Make sure SSL is properly configured on the server to utilize this directive.