nginx ssl双向验证
首先,先了解一下https的验证过程。1、首先客户端向服务器发送一个SSL的请求包,要求进行安全的会话,请证明你的身份,并且我们双方来协商一下一会将用对对称加密算法,数字签名算法。。。。。。
----------------->
2、HTTPS server收到请求后,响应client,把S证书传给client
<----------------
3、Client需要验证S证书,client会有CA的证书,可以对S证书进行验证(看是否可以解密,再看标识[服务器域名/主机名]是否对得上)。
Client需要产生一把对称加密的KEY,通过S公钥把KEY加密,然后传给Server
------------------->
4、HTTPS Server用自己的私钥解密得到KEY。随机产生一些信息,用KEY加密,传给Client。
<--------------------
接下来,双方通过KEY加密页面数据,安全传输
<--------------------->
我们对应上面的过程一步步进行。第一点HTTPS server应该要有自己的S证书:
openssl genrsa -des3 -out server.key 2048#生成server的密钥openssl req -new -key server.key -out server.csr -days 3650#根据上面的密钥生成一个请求生成证书文件的请求文件,这里仅仅是一个请求文件而起。
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :gd
Locality Name (eg, city) :gz
Organization Name (eg, company) :me
Organizational Unit Name (eg, section) []:me
Common Name (eg, your name or your server's hostname) []:lvs.xxx.com
Email Address []:liuyonglong@120.net
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
第二点:为了能够生成HTTPS server的证书,需要建立CA
openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650#生成CA
Generating a 1024 bit RSA private key
.............++++++
...........++++++
writing new private key to 'sfnca.key'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :cn
State or Province Name (full name) :gd
Locality Name (eg, city) :gz
Organization Name (eg, company) :ca
Organizational Unit Name (eg, section) []:ca
Common Name (eg, your name or your server's hostname) []:mail.ca.cn
Email Address []:admin@ca.cn
第三步,在为HTTPS Server生成证书之前,应该先进行一些准备工作
# vim /etc/pki/tls/openssl.cnf
#dir = ../../CA //修改如下
dir = /etc/pki/CA
# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件
#echo 01 > /etc/pki/CA/serial
#mkdir /etc/pki/CA/newcerts
第三步就可以为HTTPS Server生成证书了
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key 这样客户端访问HTTPS Sever就可以用HTTPS进行访问了。
同时,HTTPS Server也可以接受来自客户端的证书,从而实现双向的验证。
第四步生成Client端证书
openssl genrsa -des3 -out client.key 2048
openssl req -new -key client.key -out client.csr -days 3650
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
另外,这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.转换如下:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 最后,我们要配置一下我们HTTPS server端的nginx使其支持ssl的双向验证
ssl on;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;
ssl_client_certificate ssl/ca.crt ; //CA证书
ssl_verify_client on; //开启客户端双向认证
这样,如果我们只是要求单向验证的话,就不需要安装client.p12到浏览器。如果我们开启了双向认证的话,就需要在浏览器中加载我们的client.p12,这样子就可以验证来自HTTPS server的请求了。
页:
[1]