nginx配置ssl双向验证 nginx https ssl证书配置
1. CA(证书权威机构)的配置
由于是使用openssl架设私有证书中心,因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同
Country Name State or Province Name Locality Name Organization Name Organizational Unit Name
修改CA配置文件
vim /etc/pki/tls/openssl.cnf database = $dir/index.txt certificate = $dir/cacert.crt serial = $dir/serial crlnumber = $dir/crlnumber private_key = $dir/private/cakey.key ....... [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = CHINA ....... localityName = Locality Name (eg, city) localityName_default = BeiJing ....... 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Co-Mall ........ organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = PlatForm
生成证书私钥
[root@kaibin pki]# cd /etc/pki/CA/ [root@kaibin CA]# (umask 077;openssl genrsa -out private/cakey.key 2048) Generating RSA private key, 2048 bit long modulus ...............................+++ ......+++ e is 65537 (0x10001) [root@kaibin CA]# touch index.txt [root@kaibin CA]# echo 01 > serial [root@kaibin CA]# echo 01 > crlnumber
生成自签证书
[root@kaibin CA]# openssl req -new -x509 -key private/cakey.key -out cacert.crt -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BeiJing]: Organization Name (eg, company) [Co-Mall]: Organizational Unit Name (eg, section) [PlatForm]: Common Name (eg, your name or your server‘s hostname) []:www.test01.com Email Address []:
2.在web服务器上生成私钥与证书请求文件,并将证书请求文件传给CA
[root@kaibin conf]# mkdir /usr/local/nginx-1.6.2/ssl [root@kaibin conf]# cd /usr/local/nginx-1.6.2/ssl/ #生成私钥文件 [root@kaibin ssl]# (umask 077; openssl genrsa 1024 > nginx.key) Generating RSA private key, 1024 bit long modulus ..................++++++ .......................................................................................++++++ e is 65537 (0x10001) #生成csr请求文件 [root@kaibin ssl]# openssl req -new -key nginx.key -out nginx.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [CN]: State or Province Name (full name) [BJ]: Locality Name (eg, city) [BeiJing]: Organization Name (eg, company) [Co-Mall]: Organizational Unit Name (eg, section) [PlatForm]: Common Name (eg, your name or your server‘s hostname) []:www.test02.com Email Address []: Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: An optional company name []:
CA为web服务器的请求文件颁发证书文件,并传给web服务器
[root@kaibin ssl]# cp nginx.csr /etc/pki/CA/ [root@kaibin ssl]# cd /etc/pki/CA/ [root@kaibin CA]# openssl ca -in nginx.csr -out certs/nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Jan 8 22:29:57 2015 GMT Not After : Jan 5 22:29:57 2025 GMT Subject: countryName = CN stateOrProvinceName = BJ organizationName = Co-Mall organizationalUnitName = PlatForm commonName = www.test02.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 65:2A:83:82:43:A5:60:E5:A7:1A:56:16:6C:FC:AB:C9:FB:76:B5:DB X509v3 Authority Key Identifier: keyid:32:5F:F3:F7:0E:8C:DD:6E:83:08:97:3D:C2:A0:38:EA:1F:2D:D9:35 Certificate is to be certified until Jan 5 22:29:57 2025 GMT (3650 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@kaibin certs]# cp nginx.crt /usr/local/nginx-1.6.2/ssl/
修改nginx配置文件
server {
listen 443 ssl;
server_name www.test02.com;
ssl_certificate /usr/local/nginx-1.6.2/ssl/nginx.crt;
ssl_certificate_key /usr/local/nginx-1.6.2/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
}
我已充分了解可能的风险-->添加例外-->确认安全例外
本文出自 “Linux革命” 博客,请务必保留此出处http://kaibinyuan.blog.51cto.com/7304008/1614387
原文地址:http://kaibinyuan.blog.51cto.com/7304008/1614387
