感谢大牛的技术分享,本文参照:http://blog.csdn.net/kunoy/article/details/8239653,进行,并修正为自己的配置,本文为双向验证的配置。
配置环境
系统:centos6.5
nginx:1.6.2(安装通过yum安装,添加源,这个是stable`稳定版本`,http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm)
开始配置
nginx配置文件位置:
> /etc/nginx/conf.d/example_ssl.conf
修改/etc/nginx/conf.d/example_ssl.conf
注:/etc/nginx/conf.d/example_ssl.conf是被/etc/nginx/nginx.conf包含到自身的一个文件。
改为内容如下
#HTTP-SERVER
server {
listen 443;
server_name localhost;
ssi on;
ssi_silent_errors on;
ssi_types text/shtml;
ssl on;
ssl_certificate /etc/nginx/ca/server/server.crt;
ssl_certificate_key /etc/nginx/ca/server/server.key;
ssl_client_certificate /etc/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_client on;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}签发证书
创建配置文件/etc/nginx/ca/conf/openssl.conf
[ ca ]
default_ca = foo # The default ca section
[ foo ]
dir = /etc/nginx/ca # top dir
database = /etc/nginx/ca/index.txt # index file.
new_certs_dir = /etc/nginx/ca/newcerts # new certs dir
certificate = /etc/nginx/ca/private/ca.crt # The CA cert
serial = /etc/nginx/ca/serial # serial no file
private_key = /etc/nginx/ca/private/ca.key # CA private key
RANDFILE = /etc/nginx/ca/private/.rand # random number file
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = md5 # message digest method to use
unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
policy = policy_any # default policy
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = match
commonName = match
emailAddress = match
在/etc/niginx/ca 下 创建文件new_ca.sh ,执行生成根证书
#!/bin/sh # Generate the key. openssl genrsa -out private/ca.key # Generate a certificate request. openssl req -new -key private/ca.key -out private/ca.csr # Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark. # I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this # service will never see the light of an unencrypted Internet see the cheap and lazy remark. # So self sign our root key. openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt # Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits. echo FACE > serial # Create the CA's key database. touch index.txt # Create a Certificate Revocation list for removing 'user certificates.' openssl ca -gencrl -out /etc/nginx/ca/private/ca.crl -crldays 7 -config "/etc/nginx/ca/conf/openssl.conf"
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it. openssl genrsa -out server/server.key # Take our key and create a Certificate Signing Request for it. openssl req -new -key server/server.key -out server/server.csr # Sign this bastard key with our bastard CA key. openssl ca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/etc/nginx/ca/conf/openssl.conf"
在/etc/niginx/ca 下 创建文件new_user.sh ,执行生成客户端证书
#!/bin/sh # The base of where our SSL stuff lives. base="/etc/nginx/ca" # Were we would like to store keys... in this case we take the username given to us and store everything there. mkdir -p $base/users/ # Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key. openssl genrsa -des3 -out $base/users/client.key 1024 # Create a Certificate Signing Request for said key. openssl req -new -key $base/users/client.key -out $base/users/client.csr # Sign the key with our CA's key and cert and create the user's certificate out of it. openssl ca -in $base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key -out $base/users/client.crt -config "/etc/nginx/ca/conf/openssl.conf" # This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific. # The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain. # Take the same precaution with the export password that would take with any other password based authentication scheme. openssl pkcs12 -export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out $base/users/client.p12
原文地址:http://blog.csdn.net/jam_lee/article/details/42638501
