nginx配置ssl双向验证 nginx https ssl证书配置

1、安装nginx

参考《nginx安装》：http://www.ttlsa.com/nginx/nginx-install-on-linux/

如果你想在单IP/服务器上配置多个https，请看《nginx 同一个IP上配置多个HTTPS主机》

2、使用openssl实现证书中心

由于是使用openssl架设私有证书中心，因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同

Country Name State or Province Name Locality Name Organization Name Organizational Unit Name

1 2 3 4 5

Country Name State or Province Name Locality Name Organization Name Organizational Unit Name

编辑证书中心配置文件

vim /etc/pki/tls/openssl.cnf [ CA_default ] dir             = /etc/pki/CA certs           = $dir/certs            # Where the issued certs are kept crl_dir         = $dir/crl              # Where the issued crl are kept database        = $dir/index.txt        # database index file. #unique_subject = no                    # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir   = $dir/newcerts         # default place for new certs. certificate     = $dir/cacert.pem       # The CA certificate serial          = $dir/serial           # The current serial number crlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRL crl             = $dir/crl.pem          # The current CRL private_key     = $dir/private/cakey.pem# The private key RANDFILE        = $dir/private/.rand    # private random number file [ req_distinguished_name ] countryName                     = Country Name(2 letter code) countryName_default             = CN countryName_min                 = 2 countryName_max                 = 2 stateOrProvinceName             = State or Province Name (full name) stateOrProvinceName_default     = FJ localityName                    = Locality Name (eg, city) localityName_default            = FZ 0.organizationName              = Organization Name (eg, company) 0.organizationName_default      = zdz organizationalUnitName          = Organizational Unit Name (eg, section) organizationalUnitName_default  = zdz

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

vim /etc/pki/tls/openssl.cnf [ CA_default ] dir             = /etc/pki/CA certs           = $dir/certs            # Where the issued certs are kept crl_dir         = $dir/crl              # Where the issued crl are kept database        = $dir/index.txt        # database index file. #unique_subject = no                    # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir   = $dir/newcerts         # default place for new certs. certificate     = $dir/cacert.pem       # The CA certificate serial          = $dir/serial           # The current serial number crlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRL crl             = $dir/crl.pem          # The current CRL private_key     = $dir/private/cakey.pem# The private key RANDFILE        = $dir/private/.rand    # private random number file [ req_distinguished_name ] countryName                     = Country Name(2 letter code) countryName_default             = CN countryName_min                 = 2 countryName_max                 = 2 stateOrProvinceName             = State or Province Name (full name) stateOrProvinceName_default     = FJ localityName                    = Locality Name (eg, city) localityName_default            = FZ 0.organizationName              = Organization Name (eg, company) 0.organizationName_default      = zdz organizationalUnitName          = Organizational Unit Name (eg, section) organizationalUnitName_default  = zdz

创建证书私钥

cd /etc/pki/CA/private (umask 077;openssl genrsa -out cakey.pem 2048)

1 2	cd /etc/pki/CA/private (umask 077;openssl genrsa -out cakey.pem 2048)

生成自签证书

cd /etc/pki/CA/ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655

1 2	cd /etc/pki/CA/ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655

3、创建服务器证书

mkdir /usr/local/nginx/ssl cd /usr/local/nginx/ssl (umask 077;openssl genrsa -out nginx.key 1024) openssl req -new -key nginx.key -out nginx.csr openssl ca -in nginx.csr -out nginx.crt -days=3650

1 2 3 4 5

mkdir /usr/local/nginx/ssl cd /usr/local/nginx/ssl (umask 077;openssl genrsa -out nginx.key 1024) openssl req -new -key nginx.key -out nginx.csr openssl ca -in nginx.csr -out nginx.crt -days=3650

4、创建客户端浏览器证书

(umask 077;openssl genrsa -out client.key 1024) openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.crt -days=3650 将文本格式的证书转换成可以导入浏览器的证书 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

1 2 3 4 5

(umask 077;openssl genrsa -out client.key 1024) openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.crt -days=3650 将文本格式的证书转换成可以导入浏览器的证书 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

5、配置nginx服务器验证

vim /usr/local/nginx/conf/nginx.conf ssl on; ssl_certificate         /usr/local/nginx/ssl/nginx.crt; ssl_certificate_key     /usr/local/nginx/ssl/nginx.key; ssl_client_certificate  /usr/local/nginx/ssl/cacert.pem; ssl_session_timeout     5m; #ssl_verify_client       on;                         服务器验证客户端，暂时不开启，让没有证书的客户端可以访问，先完成单向验证 ssl_protocols           SSLv2 SSLv3 TLSv1;

1 2 3 4 5 6 7 8

vim /usr/local/nginx/conf/nginx.conf ssl on; ssl_certificate         /usr/local/nginx/ssl/nginx.crt; ssl_certificate_key     /usr/local/nginx/ssl/nginx.key; ssl_client_certificate  /usr/local/nginx/ssl/cacert.pem; ssl_session_timeout     5m; #ssl_verify_client       on;                         服务器验证客户端，暂时不开启，让没有证书的客户端可以访问，先完成单向验证 ssl_protocols           SSLv2 SSLv3 TLSv1;

点击“我已充分了解可能的风险”

点击“添加例外”

点击“确认安全例外”

6、配置双向验证
nginx配置开启ssl_verify_client       on;
在客户端浏览器没有安装证书的情况下访问

在客户端浏览器导入证书

将在Linux服务器上生成的客户端证书下载到windows上

打开火狐浏览器的高级选项卡

在证书管理器中的您的证书中点击导入

选择证书并导入

再次刷新网页，弹出“使用确认”点击确定，就实现了双向验证

本文转自:http://www.zhengdazhi.com/?p=865