1、安装nginx
参考《nginx安装》:http://www.ttlsa.com/nginx/nginx-install-on-linux/
如果你想在单IP/服务器上配置多个https,请看《nginx 同一个IP上配置多个HTTPS主机》
2、使用openssl实现证书中心
由于是使用openssl架设私有证书中心,因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同
1
2
3
4
5
|
Country
Name
State
or
Province
Name
Locality
Name
Organization
Name
Organizational
Unit
Name
|
编辑证书中心配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
vim
/
etc
/
pki
/
tls
/
openssl
.
cnf
[
CA
_default
]
dir
=
/
etc
/
pki
/
CA
certs
=
$
dir
/
certs
# Where the issued certs are kept
crl
_dir
=
$
dir
/
crl
# Where the issued crl are kept
database
=
$
dir
/
index
.
txt
# database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs
_dir
=
$
dir
/
newcerts
# default place for new certs.
certificate
=
$
dir
/
cacert
.
pem
# The CA certificate
serial
=
$
dir
/
serial
# The current serial number
crlnumber
=
$
dir
/
crlnumber
# the current crl number # must be commented out to leave a V1 CRL
crl
=
$
dir
/
crl
.
pem
# The current CRL
private
_key
=
$
dir
/
private
/
cakey
.
pem
# The private key
RANDFILE
=
$
dir
/
private
/
.
rand
# private random number file
[
req_distinguished
_name
]
countryName
=
Country
Name
(
2
letter
code
)
countryName
_default
=
CN
countryName
_min
=
2
countryName
_max
=
2
stateOrProvinceName
=
State
or
Province
Name
(
full
name
)
stateOrProvinceName
_default
=
FJ
localityName
=
Locality
Name
(
eg
,
city
)
localityName
_default
=
FZ
0.organizationName
=
Organization
Name
(
eg
,
company
)
0.organizationName_default
=
zdz
organizationalUnitName
=
Organizational
Unit
Name
(
eg
,
section
)
organizationalUnitName
_default
=
zdz
|
创建证书私钥
1
2
|
cd
/
etc
/
pki
/
CA
/
private
(
umask
077
;
openssl
genrsa
-
out
cakey
.
pem
2048
)
|
生成自签证书
1
2
|
cd
/
etc
/
pki
/
CA
/
openssl
req
-
new
-
x509
-
key
private
/
cakey
.
pem
-
out
cacert
.
pem
-
days
=
3655
|
3、创建服务器证书
1
2
3
4
5
|
mkdir
/
usr
/
local
/
nginx
/
ssl
cd
/
usr
/
local
/
nginx
/
ssl
(
umask
077
;
openssl
genrsa
-
out
nginx
.
key
1024
)
openssl
req
-
new
-
key
nginx
.
key
-
out
nginx
.
csr
openssl
ca
-
in
nginx
.
csr
-
out
nginx
.
crt
-
days
=
3650
|
4、创建客户端浏览器证书
1
2
3
4
5
|
(
umask
077
;
openssl
genrsa
-
out
client
.
key
1024
)
openssl
req
-
new
-
key
client
.
key
-
out
client
.
csr
openssl
ca
-
in
client
.
csr
-
out
client
.
crt
-
days
=
3650
将文本格式的证书转换成可以导入浏览器的证书
openssl
pkcs12
-
export
-
clcerts
-
in
client
.
crt
-
inkey
client
.
key
-
out
client
.
p12
|
5、配置nginx服务器验证
1
2
3
4
5
6
7
8
|
vim
/
usr
/
local
/
nginx
/
conf
/
nginx
.
conf
ssl
on
;
ssl
_certificate
/
usr
/
local
/
nginx
/
ssl
/
nginx
.
crt
;
ssl_certificate
_key
/
usr
/
local
/
nginx
/
ssl
/
nginx
.
key
;
ssl_client
_certificate
/
usr
/
local
/
nginx
/
ssl
/
cacert
.
pem
;
ssl_session
_timeout
5m
;
#ssl_verify_client on; 服务器验证客户端,暂时不开启,让没有证书的客户端可以访问,先完成单向验证
ssl
_protocols
SSLv2
SSLv3
TLSv1
;
|
点击“我已充分了解可能的风险”
点击“添加例外”
点击“确认安全例外”
6、配置双向验证
nginx配置开启ssl_verify_client on;
在客户端浏览器没有安装证书的情况下访问
在客户端浏览器导入证书
将在Linux服务器上生成的客户端证书下载到windows上
打开火狐浏览器的高级选项卡
在证书管理器中的您的证书中点击导入
选择证书并导入
再次刷新网页,弹出“使用确认”点击确定,就实现了双向验证
本文转自:http://www.zhengdazhi.com/?p=865
收 藏