Variable Reference

$ssl_client_i_dn_legacy

The $ssl_client_i_dn_legacy variable returns the legacy distinguished name (DN) string representation of the client's SSL certificate. — NGINX Core (HTTP)

$ssl_client_i_dn_legacy NGINX Core (HTTP)

Description

The $ssl_client_i_dn_legacy variable is set during the processing of client requests in an NGINX server configured to use SSL/TLS with client authentication. When a client presents an SSL certificate during the handshake, the server processes this certificate to extract various pieces of information, including the distinguished name (DN) of the client. The DN includes attributes such as the common name (CN), organization (O), and country (C). In the case of $ssl_client_i_dn_legacy, the variable specifically returns this DN in a format that is compatible with earlier versions of NGINX and is primarily for backward compatibility. This DN string may vary in format based on how the client certificate was issued and the specifics of the certificate's data.

Config Example

server {
    listen 443 ssl;
    server_name example.com;

    ssl_certificate /path/to/your/cert.pem;
    ssl_certificate_key /path/to/your/key.pem;

    ssl_client_certificate /path/to/your/ca.pem;
    ssl_verify_client on;

    location / {
        add_header X-Client-DN $ssl_client_i_dn_legacy;
    }
}

Subsystem

http

Cacheable

Yes

Contexts

http, server, location, if

$ssl_client_i_dn_legacy is only available when client verification is enabled (ssl_verify_client on).

The format of the DN string may differ based on the client's certificate details, which could lead to processing issues if not properly accounted for.

Improperly configured SSL settings may lead to the variable being empty or undefined.

Related Variables

$ssl_client_cert$ssl_client_i_dn$ssl_client_s_dn