ssl_trusted_certificate

Description

The 'ssl_trusted_certificate' directive plays a crucial role in SSL/TLS configurations within NGINX by specifying the path to one or more Certificate Authority (CA) certificates that are used to validate client certificates during mutual TLS authentication. When configured, NGINX will load these trusted certificates from the designated file(s) and utilize them to verify the authenticity of client certificates presented during the SSL handshake phase.

This directive is particularly important when using client authentication, where the server needs to ensure that the client certificate is issued by a trusted authority. The certificates specified in 'ssl_trusted_certificate' can be in PEM format, allowing for straightforward integration with other trusted certificate sources. Moreover, if a concatenated file is specified, it should be arranged so that the root CA’s certificate appears first, followed by any intermediate certificates, ensuring proper chain validation.

It's also worth noting that if this directive is not set, or if the specified certificate files cannot be loaded, NGINX will not be able to verify client certificates, which could pose a security risk. Hence, it is essential always to correctly configure and verify the paths and permissions of the certificate files used in this directive.

server { listen 443 ssl; ssl_certificate /path/to/server.crt; ssl_certificate_key /path/to/server.key; ssl_trusted_certificate /path/to/ca.crt; ssl_client_certificate /path/to/client.crt; ssl_verify_client on; }

Description

Config Example

Related Directives