根据此博客(http://blog.csdn.net/rosw/article/details/3441187) 加以改进
1) 创建一个CA根证书
2) 创建一个自签名的服务器证书
3) 设置Nginx
4) 创建客户端证书
1. 找到openssl 目录下的openssl.cnf. 打开并加以修改, 上面博客是自己新建了一个CA配置,我是直接在CA_default上修改的.
dir = /etc/ssl/private
private_key = $dir/ca.key
certificate = $dir/ca.crt
default_days = 3650
new_certs_dir = $dir
#crlnumber = $dir/crlnumber
commonName = optional
2)
创建一个新的CA根证书
在/etc/ssl 目录下新建一个private文件夹
下面的几个脚本我都放在/etc/ssl目录下
new_ca.sh:
#!/bin/sh
# Generate the key.
openssl genrsa -out private/ca.key
# Generate a certificate request.
openssl req -new -key private/ca.key -out private/ca.csr
# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.
# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this
# service will never see the light of an unencrypted Internet see the cheap and lazy remark.
# So self sign our root key.
openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.
echo FACE > private/serial
# Create the CA's key database.
touch private/index.txt
# Create a Certificate Revocation list for removing 'user certificates.'
openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7
拷贝以上代码上不要多加回车
执行 sh new_ca.sh 生成新的CA证书, 这里我是一路回车,在让你输入密码时,才输入
3)
生成服务器证书的脚本
new_server.sh:
# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.
openssl genrsa -out private/server.key
# Take our key and create a Certificate Signing Request for it.
openssl req -new -key private/server.key -out private/server.csr
# Sign this bastard key with our bastard CA key.
openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt
执行 sh new_server.sh 生成新服务器的证书, 这里我是一路回车,在让你输入密码时,才输入
4)
配置 nginx 的ssl支持
我的配置如下:
# HTTPS server
#
server {
listen 443;
server_name localhost;
# 打开ssl
ssl on;
# 上一步生成的服务器证书
ssl_certificate /etc/ssl/private/server.crt;
# 服务器证书公钥
ssl_certificate_key /etc/ssl/private/server.key;
# 客户端证书签名 也就是第二步生成的CA签名证书
ssl_client_certificate /etc/ssl/private/ca.crt;
# ssl session 超时
ssl_session_timeout 5m;
# 打开SSL客户端校验 (双向证书检测)
ssl_verify_client on;
#ssl_protocols SSLv2 SSLv3 TLSv1;
#ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root /var/www/nginx-default;
index index.html index.htm;
}
启动你的nginx ,等待客户连接
5)
现在来生成客户端证书
新建 new_client.sh:
#!/bin/sh
# The base of where our SSL stuff lives.
base="/etc/ssl/private"
# Were we would like to store keys... in this case we take the username given to us and store everything there.
mkdir -p $base/users/$1/
# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.
openssl genrsa -des3 -out $base/users/$1/$1.key 1024
# Create a Certificate Signing Request for said key.
openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr
# Sign the key with our CA's key and cert and create the user's certificate out of it.
openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt
# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.
# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.
# Take the same precaution with the export password that would take with any other password based authentication scheme.
openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12
执行之前需要把/etc/ssl/private/index.txt 文件删除,重新建立一个新的,
即 rm -f index.txt, touch index.txt 否则以下命令会失败. 每次创建新客户端时都要这样做
执行 sh new_client.sh yourname 来生成一个 yourname 的client证书
按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配
也就是第一步时配置的: 如果你之前一路回车的话,就不需要担心这个
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
不一致的话无法生成最后的客户证书
6)
发送上一步生成的 yourname.p12 到客户端。
IE下双击安装就可以导入。
FireFox安装 :
Go into preferences.
Advanced.
View Certificates.
Import.
Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access).
Enter in the export password given to you by the dude who created your cert.
Hit OK like a mad man.
打开网站会弹出对话框来要求你选择使用哪个证书,选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误
利用 SOAPUI 进行WEB-SERVICE测试
把P12文件转换成 jks文件
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -deststoretype JKS -destkeystore keystore.jks
接着在preferrence-ssl settings- keystore browse and keystore password and selected client authenticated
相关推荐
Nginx双向SSL认证配置详细步骤
Vue项目结果build编译后,放在Nginx的html文件夹内,替换该配置文件,就可以在Nginx服务器上运行Vue项目
主要介绍了详解Nginx SSL快速双向认证配置(脚本),小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
Windows下Nginx配置SSL实现Https访问(包含证书生成)
nginx配置https ssl 安全协议nginx配置https ssl 安全协议
主要介绍了Nginx配置SSL自签名证书的方法,小编觉得挺不错的,现在分享给大家,也给大家做个参考。一起跟随小编过来看看吧
nginx配置示例SSL
linux安装nginx并支持ssl,使得服务器支持证书签名,提升应用的安全性
本资源是一个 CentOS 下对 Nginx + Tomcat 配置 SSL 实现服务器 / 客户端双向认证配置示例。详细如何配置请参考博客《图文:CentOS 下对 Nginx + Tomcat 配置 SSL 实现服务器 / 客户端双向认证》,地址是:...
linux下nginx配置ssl,配置内网ip访问,配置内网域名访问。配置相同网站http重定向到https
用keytool生成证书,双向SSL认证配置的方法,以Tomcat举例。包含步骤:一、为服务器生成证书;二、为客户端生成证书;三、让服务器信任客户端证书;四、让客户端信任服务器证书。
实现nginx双活+双向SSL认证+高并发+安全加固+会话共享+主被动健康探测部署
linux nginx双向认证服务搭建tomcat ssl 步骤
docker构建nginx双向认证https服务器。 openssl命令生成双向认证自签名证书。 nginx配置https(tls)服务。 浏览器访问服务器需要导入客户端证书到浏览器中。
nginx配置,SSL证书配置文件,通过数字证书管理服务购买并签发SSL证书后,将已签发的证书下载到本地,并根据需要将证书安装到要使用证书的环境,配置之后就可以https访问,
nginx.conf的配置访问ssl证书
nginx配置+https
nginx 配置ssl 示例
完整的 thinkphp nginx php fpm ssl 配置
nginx和tomcat配置SSL和负载均衡配置,