nginx配置SSL双向认证

SSL双向认证

1.安装nginx

rpm -ivh http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm

yum install nginx

2.配置openssl

vim /etc/pki/tls/openssl.cnf
[ req_distinguished_name ]
countryName                     = Country Name(2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = ZJ
localityName                    = Locality Name (eg, city)
localityName_default            = HZ
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = Tech
organizationalUnitName          = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Org

确保以上字段在证书,服务端证书,客户端证书一致。

创建证书的私钥
cd /etc/pki/CA/private
umask 077
openssl genrsa -out cakey.pem 2048
生成自签证书
cd /etc/pki/CA/
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
PS:填坑
openssl ca -in nginx.csr -out nginx.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
unable to load number from /etc/pki/CA/serial
error while loading serial number
140311870949192:error:0D066096:asn1 encoding     routines:a2i_ASN1_INTEGER:short line:f_int.c:215:

生成过程中遇到了该错误,用一下代码解决:

cd /etc/pki/CA
echo "00" >serial
cat serial
创建服务器证书
mask 077
openssl genrsa -out nginx.key 1024
openssl req -new -key nginx.key -out nginx.csr
openssl ca -in nginx.csr -out nginx.crt -days 3650
创建客户端证书
umask 077
openssl genrsa -out client.key 1024
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.crt -days 3650
PS:填坑
failed to update database
TXT_DB error number 2

该错误是因为多次生成证书造成/etc/pki/CA/index.txt存在

rm -rf /etc/pki/CA/index.txt
touch /etc/pki/CA/index.txt
问题解决

生成完成后进行证书类型转换

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
配置nginx服务器验证
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_verify_client on; ##双向认证
ssl_prefer_server_ciphers on;
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_certificate      nginx.crt;
ssl_certificate_key  nginx.key;
ssl_client_certificate /etc/pki/CA/cacert.pem;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
配置本地证书
client.p12下载到本地导入即可。
原文链接:http://www.yunops.top/2015/07/10/nginx%E9%85%8D%E7%BD%AESSL%E5%8F%8C%E5%90%91%E8%AE%A4%E8%AF%81/