In line with a recent nginx mailing list thread I had with a user about
how to properly secure a site with SSL/TLS Client Certificates, the user
indicated that "ssl_client_certificate" is a confusing misnomer. It
implies that the certificate(s) provided are a bundle of certs that are
*individual client certificates* not the Certification Authority (CA)
certificate and chain that issued the certificiates.
It's always annoyed me slightly that it has been
"ssl_client_certificate" and has no mention of it being a CA cert. I'm
guessing that's because you could theoretically use a self-signed
certificate and verify it against itself, thus not needing a CA
certificate, however that's not the primary use case nor is that how
it's really explained in the NGINX documentation of the command.
Has there been any discussion or consideration of renaming
ssl_client_certificate to something that is less confusing to people new
to the process, to show that this is supposed to be the CA certificate
of the authority that is issuing the client certificates?
Thomas
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
