I am struggling with a Nginx setup as reverse proxy with client certificate authentication. The client is only accepting publicly signed certificates to be imported as client certificates for authentication.
On the Nginx side I can setup the public available CA which was used to sign the client certificate (e.g. Let's encrypt) certificate with following settings (as suggested by many solutions):
ssl_client_certificate /etc/nginx/ssl/ca.cer;
ssl_verify_client on;
I am now questioning the security of this setup and wanted to know if:
Any client using a valid client certificate signed by the public CA can now connect to the Nginx server and authenticate?
If the above answer is yes, how can I only allow my client certificate to be successfully authenticated and forbid the others? Do I need to specify my own CA (which will render this setup useless since the client side only allows public CA signed client certificates to be imported).
Thank you for your help.