-1

I am struggling with a Nginx setup as reverse proxy with client certificate authentication. The client is only accepting publicly signed certificates to be imported as client certificates for authentication.

On the Nginx side I can setup the public available CA which was used to sign the client certificate (e.g. Let's encrypt) certificate with following settings (as suggested by many solutions):

ssl_client_certificate  /etc/nginx/ssl/ca.cer;
ssl_verify_client on;

I am now questioning the security of this setup and wanted to know if:

  1. Any client using a valid client certificate signed by the public CA can now connect to the Nginx server and authenticate?

  2. If the above answer is yes, how can I only allow my client certificate to be successfully authenticated and forbid the others? Do I need to specify my own CA (which will render this setup useless since the client side only allows public CA signed client certificates to be imported).

Thank you for your help.

Improve this question
New contributor
Jonathan Fake is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct.
1
  • No this is not a secure design. It also isn't the way most organizations handle certificate authentication. It's straightforward and expected that an organization would either have their own PKI and/or exercise the granularity to designate the root authorities that they trust, and remove authorities that they do not trust. The "publicly trusted" part of the requirements is unusual and probably naive. Also no organizations have only one factor of authentication, and it is a certificate not issued by them and not trusted by them for the purposes.
    – Greg Askew
    12 hours ago

0

Reset to default

You must log in to answer this question.