Variable Reference

$ssl_client_s_dn

The $ssl_client_s_dn variable contains the subject distinguished name from the client's SSL certificate. — NGINX Core (HTTP)

$ssl_client_s_dn NGINX Core (HTTP)

Description

The $ssl_client_s_dn variable is populated when the client presents a valid SSL/TLS certificate during the SSL handshake process, and it contains the distinguished name (DN) of the client specified in that certificate. This variable is derived from the client's certificate and provides a way to identify the certificate holder by presenting the attributes of the distinguished name, which typically includes information like the common name, organization, country, and other relevant fields. The presence and content of this variable depend on the `ssl_verify_client` directive being set to either "on" or "optional", which ensures that NGINX requires or requests a client certificate. Only when a valid client certificate is successfully verified does this variable become available in NGINX context.

Config Example

server {
    listen 443 ssl;
    ssl_certificate /path/to/server.crt;
    ssl_certificate_key /path/to/server.key;
    ssl_verify_client on;

    location / {
        if ($ssl_client_s_dn) {
            add_header X-Client-DN $ssl_client_s_dn;
        }
    }
}

Subsystem

http

Cacheable

Yes

Contexts

http, server, location, if

⚠

Ensure that `ssl_verify_client` is set to `on` or `optional` for this variable to be populated.

⚠

If no client certificate is provided, `$ssl_client_s_dn` will be empty.

⚠

Remember that this variable is only accessible in contexts where SSL is enabled.

← Back to all variables