1、安装nginx
参考《nginx安装》:https://www.ttlsa.com/nginx/nginx-install-on-linux/
如果你想在单IP/服务器上配置多个https,请看《nginx 同一个IP上配置多个HTTPS主机》文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
2、使用openssl实现证书中心
由于是使用openssl架设私有证书中心,因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
Country Name State or Province Name Locality Name Organization Name Organizational Unit Name
文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
编辑证书中心配置文件文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
vim /etc/pki/tls/openssl.cnf [ CA_default ] dir = /etc/pki/CA certs = $dir/certs # Where the issued certs are kept crl_dir = $dir/crl # Where the issued crl are kept database = $dir/index.txt # database index file. #unique_subject = no # Set to 'no' to allow creation of # several ctificates with same subject. new_certs_dir = $dir/newcerts # default place for new certs. certificate = $dir/cacert.pem # The CA certificate serial = $dir/serial # The current serial number crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL crl = $dir/crl.pem # The current CRL private_key = $dir/private/cakey.pem# The private key RANDFILE = $dir/private/.rand # private random number file [ req_distinguished_name ] countryName = Country Name(2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = FJ localityName = Locality Name (eg, city) localityName_default = FZ 0.organizationName = Organization Name (eg, company) 0.organizationName_default = zdz organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = zdz
创建证书私钥文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
cd /etc/pki/CA/private (umask 077;openssl genrsa -out cakey.pem 2048)
生成自签证书文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
cd /etc/pki/CA/ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655
3、创建服务器证书
mkdir /usr/local/nginx/ssl cd /usr/local/nginx/ssl (umask 077;openssl genrsa -out nginx.key 1024) openssl req -new -key nginx.key -out nginx.csr openssl ca -in nginx.csr -out nginx.crt -days=3650
4、创建客户端浏览器证书
(umask 077;openssl genrsa -out client.key 1024) openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.crt -days=3650 将文本格式的证书转换成可以导入浏览器的证书 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
5、配置nginx服务器验证
vim /usr/local/nginx/conf/nginx.conf ssl on; ssl_certificate /usr/local/nginx/ssl/nginx.crt; ssl_certificate_key /usr/local/nginx/ssl/nginx.key; ssl_client_certificate /usr/local/nginx/ssl/cacert.pem; ssl_session_timeout 5m; #ssl_verify_client on; 服务器验证客户端,暂时不开启,让没有证书的客户端可以访问,先完成单向验证 ssl_protocols SSLv2 SSLv3 TLSv1;
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
点击“我已充分了解可能的风险”
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
点击“添加例外”
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
点击“确认安全例外”
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
6、配置双向验证
nginx配置开启ssl_verify_client on;
在客户端浏览器没有安装证书的情况下访问文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
在客户端浏览器导入证书
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
将在Linux服务器上生成的客户端证书下载到windows上
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
打开火狐浏览器的高级选项卡
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
在证书管理器中的您的证书中点击导入
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
选择证书并导入
.png "nginx配置ssl双向验证 nginx https ssl证书配置")
再次刷新网页,弹出“使用确认”点击确定,就实现了双向验证文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
本文转自:http://www.zhengdazhi.com/?p=865文章源自运维生存时间-https://www.ttlsa.com/nginx/nginx-configuration-ssl/
3F
此博文中“创建服务器证书”生成的证书(nginx.crt),不是CA根级证书下的级联证书,浏览器访问似乎一切正常,但是PHP使用curl访问,不带客户端证书,照样能获取到网页数据:
正确的做法应该参考这篇博文:http://www.cnblogs.com/dyllove98/p/3157370.html
2F
受用了。
1F
有时间测试一下。