openssl – NGINX Client Certificate with Indirect CRL

I’m trying to implement mTLS using Nginx SSL Module. Everything works fine until I give Nginx CRL files concatenated in PEM format because one of the CRL is an Indirect CRL.

The chain for a leaf certificate will look like this:

Root -> CA1 -> CA2 -> CA3 -> Leaf

But in my use case, CA2 and CA3 will not be able to issue CRL so CA1 signs a CRL Issuer. This CRL Issuer will issue CRL for revoked CA3 certificates and Leaf certificates.
CA3 and Leaf certs contain the CRL Issuer DN in the CDP, and the CRL file is correctly format with the CRL Extension “Distribution Point” with indirectCRL=true and each revoked certifcate in the list contains its issuer DN in the right CRL Entry extension.

I can verify the revocation of a certificate using OpenSSL but with the option “untrusted”.

$ openssl verify -crl_check -extended_crl -CAfile chain.pem -CRLfile concatcrl.pem -untrusted crlissuer.pem leafcert.pem

But I’m unable to do the same verification with Nginx:

client SSL certificate verify error: (3:unable to get certificate CRL) while reading client request headers

My Nginx configuration is:

ssl_trusted_certificate /etc/nginx/clients-cert/crlissuer.pem;
ssl_client_certificate /etc/nginx/clients-cert/root+ca1.pem;
ssl_verify_client on;
ssl_verify_depth 10;
ssl_crl /var/crl/chain-crl.pem;

(The client will send its leaf cert + CA3 + CA2).

If I comment the directive “ssl_crl”, my client can connect to the server.
I also tried different combinations of ssl_trusted_certificate and ssl_client_certificate by adding the crlissuer.pem to the chain, the chain in both directive with the CRL issuer..

I don’t see other way to resolve this issue. Please help.