当待验证的客户端证书是由intermediate-CA签发,而非有root-CA签发时,需要在proxy_ssl_trusted_certificate中配置intermediate-CA和root-CA组成的证书链文件
也就是说,直接尝试使用中级 CA 来验证客户端是无法通过的,openssl 会自动的去找中级 CA 的签发者一层层验证上去,直到找到根。
因此,在实际使用的时候,需要注意一下两点:
- CA 文件中必须同时存在 中级 CA 和 根 CA,必须构成完整证书链,不能少任何一个;
- 默认的验证深度 SslVerifyDepth ssl_verify_depth 是 1,也就是说只要是中级 CA 签发的客户端证书一律无法通过认证,需要增大该值。
The depth actually is the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are max allowed to be followed while verifying the client certificate. A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA’s certificate is under SSLCACertificatePath), etc.