[Solved] Export root certificate to environment
Added by BTschunko about 1 month ago
Hello everyone,
I am currently using lighttpd and have encountered an issue with exporting the root certificate to the environment in addition to SSL_CLIENT_CERT. I have configured lighttpd to use different root certificates in the certificate store, and after the client certificate is verified by lighttpd, the request is forwarded to a fast-cgi process. In the fast-cgi process, I need to be able to identify which root certificate was used to verify the client certificate.
I have already explored the option ssl.verifyclient.exportcert in the configuration, which allows me to export the client certificate to the environment variable SSL_CLIENT_CERT. Additionally, I can retrieve information about the validation of the client certificate from the environment variable SSL_CLIENT_VERIFY. However, I still need to know which root certificate was used to validate the client certificate.
Is there any way to obtain this information in the environment, such as exporting the root certificate used or any specific information about the root certificate used? I would greatly appreciate any guidance or suggestions on how to achieve this.
Thank you.
Benjamin
Replies (3)
RE: Export root certificate to environment - Added by gstrauss about 1 month ago
No, lighttpd does not provide a way to export the entire certificate chain. Not only would that be a lot of bloat to pass around, it is also probably not the right solution to your problem. If you have the client certificate, then it tells you its issuer. That is usually what you want if you have used ssl.verifyclient.ca-dn-file. If you want something else from ssl.verifyclient.ca-file, then you can parse the client certificate and if there are intermediates, then you could follow the certificate chain yourself to find the root. If you configured lighttpd with ssl.verifyclient.ca-file, then you could also configure your FastCGI with access to the same information.
In any case, you should evaluate what you are doing and why what you are trying to do is not the best solution. After all, if you have the client certificate, that is the identifying information.
RE: Export root certificate to environment - Added by BTschunko about 1 month ago
Thank you for your response. I understand that exporting the entire certificate chain may not be the most efficient solution, and I appreciate your suggestions for alternative approaches.
You are right that this is a special use case where additional information from the ssl.verifyclient.ca-file is required, and it is not a standard webserver approach. Due to the presence of intermediate certificates, I cannot directly point to the root certificate when having the client certificate. Your suggestion to follow the certificate chain in the FastCGI process to find the root used to validate this client certificate was also my idea. However, I encountered that the environment only provides the client certificate and no intermediate certificates, so I cannot follow the certificate chain myself. Maybe I have overlooked an option and if so, please give me a hint but this is the situation I have encountered.
I will continue to evaluate the options and would be happy for any further ideas.
RE: [Solved] Export root certificate to environment - Added by gstrauss about 1 month ago
Your suggestion to follow the certificate chain in the FastCGI process to find the root used to validate this client certificate was also my idea.
I don't believe you since it does not seem like you understand how certificate verification works.
However, I encountered that the environment only provides the client certificate and no intermediate certificates, so I cannot follow the certificate chain myself. Maybe I have overlooked an option and if so, please give me a hint but this is the situation I have encountered.
If you have ssl.verifyclient.ca-file, then you can use a TLS library such as openssl to validate the client certificate using the certificates in ssl.verifyclient.ca-file. That is what lighttpd does to validate the client certificate. If your "special-case" really requires you to know the CA root certificate of the chain, then you can perform the certificate validation steps to find that information.