1、安裝nginx
參考《nginx安裝》:http://www.ttlsa.com/nginx/nginx-install-on-linux/
如果你想在單IP/服務器上配置多個https,請看《nginx 同一個IP上配置多個HTTPS主機》
2、使用openssl實現證書中心
由於是使用openssl架設私有證書中心,因此要保證以下字段在證書中心的證書、服務端證書、客戶端證書中都相同
|
1
2
3
4
5
|
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name
|
編輯證書中心配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
|
vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName = Country Name(2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = FJ
localityName = Locality Name (eg, city)
localityName_default = FZ
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zdz
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = zdz
|
創建證書私鑰
|
1
2
|
cd /etc/pki/CA/private
(umask 077;openssl genrsa -out cakey.pem 2048)
|
生成自簽證書
|
1
2
|
cd /etc/pki/CA/
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655
|
3、創建服務器證書
|
1
2
3
4
5
|
mkdir /usr/local/nginx/ssl
cd /usr/local/nginx/ssl
(umask 077;openssl genrsa -out nginx.key 1024)
openssl req -new -key nginx.key -out nginx.csr
openssl ca -in nginx.csr -out nginx.crt -days=3650
|
4、創建客戶端瀏覽器證書
|
1
2
3
4
5
|
(umask 077;openssl genrsa -out client.key 1024)
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.crt -days=3650
將文本格式的證書轉換成可以導入瀏覽器的證書
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
|
5、配置nginx服務器驗證
|
1
2
3
4
5
6
7
8
|
vim /usr/local/nginx/conf/nginx.conf
ssl on;
ssl_certificate /usr/local/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;
ssl_session_timeout 5m;
#ssl_verify_client on; 服務器驗證客戶端,暫時不開啟,讓沒有證書的客戶端可以訪問,先完成單向驗證
ssl_protocols SSLv2 SSLv3 TLSv1;
|
點擊“我已充分了解可能的風險”
點擊“添加例外”
點擊“確認安全例外”
6、配置雙向驗證
nginx配置開啟ssl_verify_client on;
在客戶端瀏覽器沒有安裝證書的情況下訪問
在客戶端瀏覽器導入證書
將在Linux服務器上生成的客戶端證書下載到windows上
打開火狐瀏覽器的高級選項卡
在證書管理器中的您的證書中點擊導入
選擇證書並導入
再次刷新網頁,彈出“使用確認”點擊確定,就實現了雙向驗證
本文轉自:http://www.zhengdazhi.com/?p=865