All geek questions in one place

Nginx; how to use OCSP to verify SSL client certificate

I use Nginx to create a secure connection; when I revoked the client certificate, I can also connect to Nginx via https, I know that I need to configure the ssl_crl directives, but I want to use OCSP to verify the client certificate. How can I do it? I found that Nginx uses the OpenSSL library to establish an ssl connection, is there something I have to do with the openssl.cnf file?

+6
source share
3 answers

Nginx does not support checking OCSP client certificates. The only way to verify client certificates is to use CRLs, renew them, and restart Nginx to apply the changes.

In this thread, one of the leading Nginx developers confirms this and says that since 2014 no one has been working on it: https://forum.nginx.org/read.php?2,238506,245962

+1
source

Prerequirements:

  • launch pki with OCSP configured

NginX Server Configuration

# Specifies a file with trusted CA certificates in the PEM format used to verify client certificates and OCSP responses if ssl_stapling is enabled. # The list of certificates will be sent to clients. If this is not desired, the ssl_trusted_certificate directive can be used. ssl_client_certificate /etc/nginx/client_certs/ca.crt; ssl_verify_client on; ssl_stapling on; #Yes this has to be configured to use OCSP resolver 192.0.2.1;
+1
source

This is just an example of how the code should look in your server block:

  server { # Listen on port 443 listen 443 default_server; server_name example.com; root /path/to/site-content/; index index.html index.htm; # Turn on SSL; Specify certificate & keys ssl on; ssl_certificate /etc/nginx/ssl/example.com/my_certificate.crt; ssl_certificate_key /etc/nginx/ssl/example.com/example.key; # Enable OCSP Stapling, point to certificate chain ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/nginx/ssl/full_chain.pem; }

make sure the certificates match your paths and then save your work.

Check your configuration before rebooting ...

and finally restart or restart Nginx any of the following commands:

 sudo service nginx reload

or

 sudo service nginx restart

Final step, test your OCSP Stapling at this link to make sure your SSL is working or not:

OCSP Stapling SSL Checker

-5
source

Source: https://habr.com/ru/post/1237448/

More articles:


All Articles