NGINX SSL 的双向认证
SSL工作原理SSL的四次握手的过程
以http+ssl为例!
用户使用个人PC,想上招行的网银,将输入比较重要的卡号,密码信息。此时,肯定要加密方式传输数据(对称加密大量信息),并且要确定对方确定是招行网站。
ClientHTTPS Server
1、首先客户端向服务器发送一个SSL的请求包,要求进行安全的会话,请证明你的身份,并且我们双方来协商一下一会将用对对称加密算法,数字签名算法。。。。。。
----------------->
2、HTTPS server收到请求后,响应client,把S证书传给client
<----------------
3、Client需要验证S证书,client会有CA的证书,可以对S证书进行验证(看是否可以解密,再看标识[服务器域名/主机名]是否对得上)。
Client需要产生一把对称加密的KEY,通过S公钥把KEY加密,然后传给Server
------------------->
4、HTTPS Server用自己的私钥解密得到KEY。随机产生一些信息,用KEY加密,传给Client。
<--------------------
接下来,双方通过KEY加密页面数据,安全传输
<--------------------->
自签发证书实现过程:
1.首先要生成服务器端的私钥(key文件):
Cd /usr/local/nginx/conf/ssl
Shell#openssl genrsa -des3 -out server.key 2048
运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!
去除key文件口令的命令:
#openssl rsa -in server.key -out server.key
注:执行这个命令时启动NGINX 不需要输入密码
2.用server.key生成一个证书:
# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :cn
Locality Name (eg, city) :bj
Organization Name (eg, company) :uplooking
Organizational Unit Name (eg, section) []:uplooking
Common Name (eg, your name or your server's hostname) []:lvs.xxx.com
Email Address []:liuyonglong@120.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
生成Certificate Signing Request(CSR),生成的csr文件交给CA签名后形成服务端自己的证书.按照提示提供服务器证书基本信息
3. 对客户端也作同样的命令生成key及csr文件
# openssl genrsa -des3 -out client.key 2048
# openssl req -new -key client.key -out client.csr
Enter pass phrase for client.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :cn
Locality Name (eg, city) :bj
Organization Name (eg, company) :uplooking
Organizational Unit Name (eg, section) []:uplooking
Common Name (eg, your name or your server's hostname) []:lvs.xxx.com
Email Address []:liuyonglong@120.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
4. 生成的CSR证书文件必须有CA的签名才可形成证书.这里制作自己的CA 这时生成一个KEY文件ca.key 和根证书ca.crt
# openssl req -new -x509 -keyout ca.key -out ca.crt
Generating a 1024 bit RSA private key
.............++++++
...........++++++
writing new private key to 'sfnca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :cn
Locality Name (eg, city) :bj
Organization Name (eg, company) :ca
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:mail.ca.cn
Email Address []:admin@ca.cn
签署证书准备工作:
# vim /etc/pki/tls/openssl.cnf
#dir = ../../CA //修改如下
dir = /etc/pki/CA
# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件
#echo 01 > /etc/pki/CA/serial
#mkdir /etc/pki/CA/newcerts
5. 用生成的CA的证书(ca.crt)为刚才生成的server.csr,client.csr文件签名
# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 3 (0x3)
Validity
Not Before: Nov 29 03:48:44 2010 GMT
Not After : Nov 29 03:48:44 2011 GMT
Subject:
countryName = cn
stateOrProvinceName = cn
organizationName = uplooking
organizationalUnitName = uplooking
commonName = lvs.xxx.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key> 02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB
X509v3 Authority Key> keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7
Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)
Sign the certificate? :y
1 out of 1 certificate requests certified, commit? y
Write out database with 1 new entries
Data Base Updated
# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key//签署步骤同上
另外,这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.转换如下:
双击安装就行
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
这个是ISO 需要的证书格式
openssl x509 -in client.crt -out client.cer
这个是android 需要的证书格式。
# openssl pkcs12 -export -in client.crt -inkey client.key -outclient.pfx
Enter pass phrase for client.key: //客户端私钥密码
Enter Export Password: //pfx文件导入要求的密码
Verifying - Enter Export Password:
client使用的文件有:ca.crt,client.crt,client.key,client.pfx
server使用的文件有:ca.crt, server.crt,server.key
配置nginx如下:
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
#ssl_client_certificate ssl/client/client.crt ;
ssl_client_certificate ssl/ca.crt ; //CA证书
ssl_verify_client on; //开启客户端双向认证
#ssl_protocolsSSLv2 SSLv3 TLSv1;
#ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
#ssl_prefer_server_ciphers on;
证书安装及使用把刚才生成的证书:根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端,
ca.crt安装到信任的机构,client.crt直接在windows安装或安装到个人证书位置,
然后用IP访问HTTP和https服务器。在IE中我们一般导入client.pfx证书,
导入时会提示上面设置的密码。 123456
测试https://lvs.xxx.com
页:
[1]