由中间CA（连锁）签署nginx的SSL证书认证 [英] NGinx SSL certificate authentication signed by intermediate CA (chain)

问题描述

我试图启用nginx的客户端证书认证证书所在已经由中间CA签名我能够通过使用自签名的根CA签名的证书时，得到这个工作的罚款;然而，当签名CA是中间CA这是行不通的。

I am trying to enable client certificate authentication in nginx where the certificates have been signed by an intermediate CA. I am able to get this working fine when using a certificate signed by a self-signed root CA; however, this does not work when the signing CA is an intermediate CA.

我的简单的服务器部分看起来是这样的：

My simple server section looks like this:

server {
    listen       443;
    server_name  _;

    ssl                  on;
    ssl_certificate      cert.pem;
    ssl_certificate_key  cert.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;
    ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers   on;

    ssl_client_certificate ca.pem;
    ssl_verify_client on;
    ssl_verify_depth 1;

    location / {
        root   html;
        index  index.html index.htm;
    }
}

有关ca.pem的内容，我已经尝试使用的只有的中间CA，并串联中间CA证书和根CA证书，即是这样的：

For the contents of ca.pem, I have tried using only the intermediate CA and also concatenating the intermediate CA cert and the root CA cert, i.e. something like:

cp intermediate.crt ca.pem
cat root.crt >> ca.pem

我也验证了证书使用同一CA链时，从OpenSSL的角度有效的：

I have also validated that the certificate is valid from openssl's perspective when using that same CA chain:

openssl verify -CAfile /etc/nginx/ca.pem certs/client.crt 
certs/client.crt: OK

我与设定明确ssl_verify_depth为1（如上）试验，然后连0（不知道这是什么数字意味着完全一致），但仍然得到同样的错误。

I have experimented with setting ssl_verify_depth explicitly to 1 (as above) and then even 0 (not sure what that number means exactly), but still get same error.

我在INTERMED CA的所有变体得到的错误是400错误的请求，更具体SSL证书错误（不知道这意味着什么完全一致）。

The error I get in all variants of the intermed CA is "400 Bad Request" and more specifically "The SSL certificate error" (not sure what that means exactly).

也许nginx的只是不支持中间证书证书链？任何帮助非常AP preciated！

Maybe nginx just doesn't support cert chains for intermediate certs? Any help greatly appreciated!

推荐答案

编辑：我也有这个问题，解决方案，并解释是在文本的底部。

这似乎是nginx的不支持中间证书。我的证书自创建：（RootCA是自签名，IntrermediateCA1由RootCA签字等）

It seemed like nginx doesn't support intermediate certificates. My certs self created: (RootCA is selfsigned, IntrermediateCA1 is signed by RootCA, etc.)

RootCA -> IntermediateCA1 -> Client1 
RootCA -> IntermediateCA2 -> Client2

我想在nginx的用IntermediateCA1，只允许以客户端1证书的所有者获得现场。

I want to use in nginx "IntermediateCA1", to allow access to site only to owner of the "Client1" certificate.

当我把为ssl_client_certificate文件是 IntermediateCA1和RootCA ，然后设置ssl_verify_depth 2（或更多），客户可以登录到网站使用证书都客户端1和客户端2 （仅适用于客户端1应该）。
同样的结果是，当我把为ssl_client_certificate文件是仅RootCA - 这两个客户端可以登录

When I put to "ssl_client_certificate" file with IntermediateCA1 and RootCA, and set "ssl_verify_depth 2" (or more) , clients can login to site both using certificate Client1 and Client2 (should only Client1). The same result is when I put to "ssl_client_certificate" file with only RootCA - both clients can login.

当我把为ssl_client_certificate文件是仅IntermediateCA1 ，然后设置ssl_verify_depth 1（或2或更多 - 不管），它是IMPOSIBLE登录，我得到错误400.而在调试模式下，我看到日志：

When I put to "ssl_client_certificate" file with only IntermediateCA1, and set "ssl_verify_depth 1" (or "2" or more - no matter) , it is imposible to log in, I get error 400. And in debug mode i see logs:

verify:0, error:20, depth:1, subject:"/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=RootCA/emailAddress=cert@asdf.com"
verify:0, error:27, depth:1, subject:"/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=RootCA/emailAddress=cert@asdf.com"
verify:1, error:27, depth:0, subject:"/C=PL/CN=Client1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com"
(..)
client SSL certificate verify error: (27:certificate not trusted) while reading client request headers, (..)

我的东西，这是一个错误。经测试在Ubuntu上，nginx的1.1.19和1.2.7-1〜dotdeb.1，OpenSSL的1.0.1。
我看到nginx的1.3有一些有关使用客户端证书，但I'dont看到解决这个问题的更多选项。

I thing this is a bug. Tested on Ubuntu, nginx 1.1.19 and 1.2.7-1~dotdeb.1, openssl 1.0.1. I see that nginx 1.3 has few more options about using client certificates, but I'dont see solution to this problem.

目前，以分离的客户端1和2的唯一办法是制造两个，自签名RootCAs，但这是唯一的解决办法。

Currently, the only one way to separate clients 1 and 2 is to create two, selfsigned RootCAs, but this is only workaround..

编辑1：
我在这里报道此问题： http://trac.nginx.org/nginx/ticket/301

修改2
*的好了，这是不是一个错误，它的功能;）的*

我得到的回应在这里： http://trac.nginx.org/nginx/ticket/301
据工作，您只能检查你的ssl_client_i_dn什么（而不是发行人也可以用主题证书的，或者您从<一个想要什么href=\"http://wiki.nginx.org/HttpSslModule#Built-in_variables\">http://wiki.nginx.org/HttpSslModule#Built-in_variables

I get response here: http://trac.nginx.org/nginx/ticket/301 It is working, you must only check what your ssl_client_i_dn is (. Instead of issuer you can use also subject of certificate, or what you want from http://wiki.nginx.org/HttpSslModule#Built-in_variables

这是证书验证如何工作的：证书必须是
  验证到受信任的根。如果链条不能建立一个值得信赖
  根（不是中间） - 验证失败。如果您信任的根 - 所有
  由它签名，直接或间接的证书，将
  成功验证。

This is how certificate verification works: certificate must be verified up to a trusted root. If chain can't be built to a trusted root (not intermediate) - verification fails. If you trust root - all certificates signed by it, directly or indirectly, will be successfully verified.

限制验证深度可如果你使用
  想客户端证书限制在直接颁发的证书
  只是，但它更多的是拒绝prevention，显然就不能
  用于限制verificate仅intermediate1（但不
  intermediate2）。

Limiting verification depth may be used if you want to limit client certificates to a directly issued certificates only, but it's more about DoS prevention, and obviously it can't be used to limit verificate to intermediate1 only (but not intermediate2).

您想在这里的是一些的授权的基础层
  验证结果 - 即你可能要检查该客户端的
  证书颁发者是intermediate1。最简单的解决办法是将
  拒绝的请求，如果发行人的DN不匹配一个不允许的，例如
  像这样（没有经过充分测试）：

What you want here is some authorization layer based on the verification result - i.e. you may want to check that client's certificate issuer is intermediate1. Simplest solution would be to reject requests if issuer's DN doesn't match one allowed, e.g. something like this (completely untested):

[由我编辑，它是在我的配置正常工作]

[ Edit by me, it is working correctly in my configuration ]

server {
    listen 443 ssl;

    ssl_certificate ...
    ssl_certificate_key ...

    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

    if ($ssl_client_i_dn != "/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com") {
        return 403;
    }
}

这篇关于由中间CA（连锁）签署nginx的SSL证书认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！