Thanks for reaching out. The following should shed more light on this.
server:
- ttt-fullchain.pem
- teddy-cert.pem
- converted teddy-key.pem (rsa private key;
openssl rsa -inform DER -in teddy-key.pem -out ttt-teddy-key.pem) - ca-root.pem
- converted ca-key.pem (rsa private key;
openssl rsa -inform DER -in ca-key.pem -out ttt-ca-key.pem)
cat teddy-cert.pem ttt-teddy-key.pem ca-root.pem ttt-ca-key.pem > ttt-fullchain.pem
ssl_certificate /etc/ssl/certs/server/ttt-fullchain.pem;
ssl_certificate_key /etc/ssl/certs/server/ttt-teddy-key.pem;
client:
- ca.pem
- Issuer: C=DE, ST=NW, L=Duesseldorf, O=Boxine GmbH, CN=Boxine CA
- C=DE, ST=NW, L=Duesseldorf, O=Boxine GmbH, CN=Boxine CA
ssl_client_certificate /etc/ssl/certs/client/ca.pem;
The client ca actually should not matter. We cannot use that to verify the cert.
openssl verify -CAfile ca.pem client.pem
C = DE, ST = NRW, L = D\C3\BCsseldorf, O = Boxine GmbH, CN = 1234567890CF
error 20 at 0 depth lookup:unable to get local issuer certificate
client.pem: verification failed: 20 (unable to get local issuer certificate)
That the reason why I am using
ssl_verify_client optional_no_ca;