another easy way is to concatenate certificates (including domain certifate) in a single file and use that on your servers and nginx conf file

cat www.example.com.crt bundle.crt > www.example.com.chained.crt

Always remember to use server certificate first and then only CA server certificates

You can read more about at http://nginx.org/en/docs/http/configuring_https_servers.html#chains

Have you tried increasing ssl_verify_depth directive? Docs say:

(it) sets a verification depth in the client certificates chain.

But your verify depth is 1. You say:

I have experimented with setting ssl_verify_depth explicitly to 1 (as above) and then even 0 (not sure what that number means exactly), but still get same error.

So, try 2 or 3..

PS: Everywhere where I find this problem mentioned, its told to combine intermediate CA certificates with you server cert. into one file (as @vikas-nalwar suggested and you did) in order of verification (but i'm not sure if the order matters) and roughly speaking set ssl_verify_depth to number of certs in the bundle.

I have to say its working fine for me with nginx/1.13.2, i.e.

• I have one root CA that signed two intermediate CAs
• both intermediates each signed a client

• I concat the certs like cat client-intermediate1.crt ca-client.crt > ca.chained1.crt and cat client-intermediate2.crt ca-client.crt > ca.chained2.crt and cat ca.chained1.crt ca.chained2.crt > ca.multiple.intermediate.crt

• if I only put ca.chained1.crt as ssl_client_certificate then only client1.crt can connect, likewise for ca.chained2.crt/client2.crt

• when I use ca.multiple.intermediate.crt then both clients can connect

for revoking an intermediate, simply remove the cert chain from the ca.multiple.intermediate.crt

here is the relevant config. its also has high security settings

# minimum settings for ssl client auth 
ssl_client_certificate /etc/ssl/ca.multiple.intermediate.crt;
ssl_verify_client on;
ssl_verify_depth 2;

# ssl high security settings (as of writing this post)
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;

if you want to parse out the certs CN and pass it on to backend, then add this OUTSIDE the server {.. block

# parse out CN
map $ssl_client_s_dn $ssl_client_s_dn_cn {
    default "should_not_happen";
    ~CN=(?<CN>[^,]+) $CN;
}

and INSIDE the block you can use it then

# add headers for backend containing SSL DN/CN
add_header X-SSL-client-s-dn $ssl_client_s_dn;
add_header X-SSL-client-s-dn_cn $ssl_client_s_dn_cn;

Edit: I had also this "problem", solution and explanation is at the bottom of the text.

It seemed like nginx doesn't support intermediate certificates. My certs self created: (RootCA is selfsigned, IntrermediateCA1 is signed by RootCA, etc.)

RootCA -> IntermediateCA1 -> Client1 
RootCA -> IntermediateCA2 -> Client2

I want to use in nginx "IntermediateCA1", to allow access to site only to owner of the "Client1" certificate.

When I put to "ssl_client_certificate" file with IntermediateCA1 and RootCA, and set "ssl_verify_depth 2" (or more) , clients can login to site both using certificate Client1 and Client2 (should only Client1). The same result is when I put to "ssl_client_certificate" file with only RootCA - both clients can login.

When I put to "ssl_client_certificate" file with only IntermediateCA1, and set "ssl_verify_depth 1" (or "2" or more - no matter) , it is imposible to log in, I get error 400. And in debug mode i see logs:

verify:0, error:20, depth:1, subject:"/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=RootCA/emailAddress=cert@asdf.com"
verify:0, error:27, depth:1, subject:"/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=RootCA/emailAddress=cert@asdf.com"
verify:1, error:27, depth:0, subject:"/C=PL/CN=Client1/emailAddress=cert@asdf.com",issuer: "/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com"
(..)
client SSL certificate verify error: (27:certificate not trusted) while reading client request headers, (..)

I thing this is a bug. Tested on Ubuntu, nginx 1.1.19 and 1.2.7-1~dotdeb.1, openssl 1.0.1. I see that nginx 1.3 has few more options about using client certificates, but I'dont see solution to this problem.

Currently, the only one way to separate clients 1 and 2 is to create two, selfsigned RootCAs, but this is only workaround..

Edit 1: I've reported this issue here: http://trac.nginx.org/nginx/ticket/301

Edit 2" *Ok, it's not a bug, it is feature ;)*

I get response here: http://trac.nginx.org/nginx/ticket/301 It is working, you must only check what your ssl_client_i_dn is (. Instead of issuer you can use also subject of certificate, or what you want from http://wiki.nginx.org/HttpSslModule#Built-in_variables

This is how certificate verification works: certificate must be verified up to a trusted root. If chain can't be built to a trusted root (not intermediate) - verification fails. If you trust root - all certificates signed by it, directly or indirectly, will be successfully verified.

Limiting verification depth may be used if you want to limit client certificates to a directly issued certificates only, but it's more about DoS prevention, and obviously it can't be used to limit verificate to intermediate1 only (but not intermediate2).

What you want here is some authorization layer based on the verification result - i.e. you may want to check that client's certificate issuer is intermediate1. Simplest solution would be to reject requests if issuer's DN doesn't match one allowed, e.g. something like this (completely untested):

[ Edit by me, it is working correctly in my configuration ]

server {
    listen 443 ssl;

    ssl_certificate ...
    ssl_certificate_key ...

    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

    if ($ssl_client_i_dn != "/C=PL/CN=IntermediateCA1/emailAddress=cert@asdf.com") {
        return 403;
    }
}

I believe that you want to enable client validation on your server side. If this is so then, I dont see that you have your client certificate in the chain. Try the following in exact same order. Use the certchain.pem.

  cat client.crt > certchain.pem
  cat intermediate.crt >> certchain.pem
  cat root.crt >> certchain.pem

as I was strugling with nginx and cloudflare,
these lines did the trick for me:

ssl_client_certificate    /etc/nginx/ssl/ca-bundle-client.crt;  
ssl_verify_client optional_no_ca;  
ssl_verify_depth 2;

the second line with optional_no_ca is the important part