How to enable different SSL certificate for different location using Nginx?

Question

Suppose I have only ONE domain name "example.com". I want to enable SSL certificate using "A.crt" when visiting "https://example.com/api/A" and using "B.crt" when visiting "https://example.com/api/B". How can I achieve this with Nginx configuration? Thanks.

Answer 1

Use a dedicated server block for each certificate, as follows:

server {
 listen 443 ssl;
 server_name apiA; ...
 ssl_certificate /etc/ssl/certs/A-ss.crt;
 ssl_certificate_key /etc/ssl/private/A-ss.key;
 ssl_client_certificate /etc/ssl/certs/A.crt;
 ssl_verify_client on;
 ssl_verify_depth 2; ...
 location /api/A/ { ... }
 }

server {
 listen 443 ssl;
 server_name apiB; ...
 ssl_certificate /etc/ssl/certs/B-ss.crt;
 ssl_certificate_key /etc/ssl/private/B-ss.key;
 ssl_client_certificate /etc/ssl/certs/B.crt;
 ssl_verify_client on;
 ssl_verify_depth 2;  ...
 location /api/B/ { ... }
 }

where each TLS certificate-key pair *-ss.crt, *-ss.key belongs to the subdomain it serves, as set in its "Common Name" field.

This solution gives independent TLS connections at the cost of using subdomains.
Send the request with URL pointing to the distinct host name, but redirect it to the common IP address using a proxy or /etc/hosts (or --resolve option in curl).