I would like to verify a client certificate "custom" field directly with NGINX before returning it to the actual page.
As I understand from here: http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_verify_client it's easily achievable for fields like subject DN, issuer DN , client searial, end date etc But is there a way to validate a custome field my CA is appending to the certificate?
By the way PKI works, nginx does not verify any of those data. It just verifies that the certificate is signed (directly or through intermediate certificates) by a trusted CA. It is the CA job to verify those data. Usually the last part of the subject DN (the CN or emailAddress part) is somehow verified.
nginx is able to extract some standard extensions from the certificate, but if you want to read the non standard ones you need to add the whole certificate as a header and send it to your application with something like:
proxy_set_header X-Client-Cert $ssl_client_escaped_cert
