I have a custom easyrsa setup with a root and three CAs signed by the root. (Three different sub-cas depending on the user type), like this:
RootCA
+----- AdminUserCA
+----- EmployeeCA
+----- ClientCA
I have authentication working with the following config:
server {
listen 127.0.0.1:443;
server_name www.acme.corp;
ssl on;
ssl_certificate /data/src/easy-rsa/bundles/www.acme.corp_bundle.crt;
ssl_certificate_key /data/src/easy-rsa/whfWebCA/pki/private/www.acme.corp.key;
add_header Strict-Transport-Security "max-age=315360000; includeSubdomains";
ssl_protocols SSLv3 TLSv1;
ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:ECDH-ECDSA-RC4-SHA:ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:RC4-SHA;
ssl_prefer_server_ciphers on;
ssl_verify_client optional;
ssl_client_certificate /data/src/easy-rsa/bundles/client_auth_ca_chain.crt;
ssl_verify_depth 2;
ssl_crl /data/src/easy-rsa/bundles/crls/all.pem;
...
}
The problem is with the CRL checking. CRLs are signed by the issuing CA therefore they can not be appened together like intermediate certificate+root certificates.
So a user's certificate will be issued by the given intermediate CA depending on their user type. The problem is I really need to check four CRL lists to be effective. The nginx ssl_crl only supports a single file.
So my question is: Is it possible to have nginx correctly check for a client certificate revokation in this setup without having to do the check in my application?
Best Answer
Yes, it is possible. Just concatenate multiple PEM-encoded CRLs into a single file specified in the
ssl_crldirective.(A question in nginx mailing list referenced this question. Posting the answer here as well.)