I am running a small sinatra application which re-uses a company-wide client certificate every employee has already installed (signed by an internal SSO_CA). My Sinatra/Thin combination is using the server certificate signed by an internal company CA but is expecting the client certificate signed by leading SSO_CA in the trutchain..
Technically this worked fine until we got a second self-signed client certificate on our PCs. The browser is unsure which certificate to use and most users do not read and use the new certificate, which ends in a 403 error.
In addition, browsers remember the decision and you have to explain to many people how to reset the SSL state.
=> Sinatra / Thin/ Eventmachine are not providing an option like
:SSLCACertificateFiles '/usr/sinatra/certs/SSO_CA.crt' to tell the browser "please show up with client certificate from SSO_CA"
Webrick has it but this is not the right choice for "production". Moving to Nginx feels strange as I cannot be the first having this issue in Thin. I remember there was somewhere in a forum (cannot find it again) someone telling me that the feature is missing but I found this before I had an understanding that this is going to be my problem as well.
Has anybody an idea how to force Thin/Eventmachine to forward a specific CA suggestion for client certificate? It is not
:SSLCACertificateFiles, I tried it already.
:cert_chain_file => File.dirname(__FILE__) + "/keys/comp_key/s3l.cer",
:private_key_file => File.dirname(__FILE__) + "/keys/comp_key/s3l.key",
:verify_peer => true,
:SSLVerifyClient => true