tls_trusted_certificate
The `tls_trusted_certificate` directive specifies a trusted CA certificate for verifying client certificates in an NGINX configuration.
Description
The tls_trusted_certificate directive is used in NGINX to set a trusted certificate authority (CA) certificate for verifying client certificates. This is particularly useful in scenarios where NGINX acts as a reverse proxy for applications that require client authentication via TLS. When this directive is defined, NGINX uses the provided certificate to validate client certificates presented during the TLS handshake process. If a client certificate cannot be verified against the specified CA certificates, the handshake fails, and access is denied.
The directive takes one argument: the path to the CA certificate file. It’s essential to ensure the certificate file is in PEM format, which is the security industry标准 for encoding certificates. The directive is typically placed inside a server or location block when dealing with mutual TLS (mTLS) setups, which add an extra layer of security by requiring both the server and client to present valid certificates.
Behaviorally, if the directive is not set or the specified file is not found, clients may either be allowed without verification or denied access, depending on other related security settings like ssl_verify_client. Thus, using tls_trusted_certificate is crucial for environments that require strict authentication measures to prevent unauthorized access.
Config Example
server {
listen 443 ssl;
ssl_certificate /etc/ssl/certs/server.crt;
ssl_certificate_key /etc/ssl/private/server.key;
tls_trusted_certificate /etc/ssl/certs/ca_cert.pem;
ssl_verify_client on;
}Ensure the CA certificate file exists at the specified path; otherwise, NGINX will fail to start.
Make sure the CA certificate is in the correct PEM format; any format mismatch can lead to errors during client verification.
If not configured properly, client authentication may fail, resulting in connection issues for legitimate users.