如何为nginx客户端证书验证指定多个根证书？

This is a consideration为什么nginx不支持目录中的ssl_client_certificate(就像Apache那样)

“Certificate file” vs “certificate path” difference isn’t about running something after updates of certificates or not (in both cases you have to update something,either cat to a single file or the c_rehash script to create symbolic links in case of CApath). The difference is about certificates in memory vs. certficates on disk,and the later implies syscalls and disk access on each certificate check.

As nginx is designed to work under high loads,with many requests (and handshakes) per second,it uses CAfile variant. And as nginx configuration reload is seamless,it’s unlikely the CApath variant will add any extra value.

Maxim Dounin