$ssl_client_i_dn

Description

The $ssl_client_i_dn variable is populated when an SSL/TLS connection is established using client certificates. Specifically, it contains the distinguished name (DN) of the client as presented by the client's certificate during the TLS handshake process. This variable is available primarily in contexts that require SSL/TLS client authentication, which must be enabled in the NGINX configuration using directives such as 'ssl' and 'ssl_verify_client'. Typically, the DN will include information such as the client's common name (CN), organization (O), and country (C), formatted according to the X.500 standard. When the variable is set, it can be used in various configurations, from setting up access controls based on client identity to customizing responses based on who the client is. However, if client certificates are not utilized in the SSL/TLS connection, this variable will not contain any data. It's important to note that this variable is dependent on successful client authentication; if the client fails to provide a valid certificate or if verification fails, $ssl_client_i_dn will be empty. The presence of this variable is crucial for applications where user identity verification is needed based on client certificates.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_verify_client on;

    location / {
        if ($ssl_client_i_dn) {
            return 200 'Client DN: $ssl_client_i_dn';
        }
        return 403 'Access denied';
    }
}