環境準備:CA環境:192.168.42.132,服務端(NGINX服務器):192.168.42.134,客戶端(產生client的證書文件,p12文件,導入到瀏覽器中):192.168.42.128html
1.單向認證nginx
客戶端使用服務端返回的信息驗證服務器的合法性,包括:算法
驗證經過後,將繼續進行通訊,不然,終止通訊瀏覽器
單向認證的過程:安全
1、在CA端:服務器
#生成CA私鑰
openssl genrsa -out private/ca.test.private.key 1024session
#生成根證書申請,域名爲ca.admin
openssl req -new -key private/ca.test.private.key -out private/ca.test.request.csr併發
#生成根證書
openssl x509 -req -days 3655 -in private/ca.test.request.csr -signkey private/ca.test.private.key -out private/ca.test.sign.crt加密
#生成證書吊銷列表
openssl ca -gencrl -out private/ca.test.revocation.crt -crldays 7spa
2、在Server端:
#生成服務端的私鑰
openssl genrsa -out server/server.key 1024
#生成服務器證書申請
openssl req -new -key server/server.key -out server/server.csr
#將SERVER端生成證書請求發往CA端作簽名
openssl ca -in server/server.csr -cert private/ca.test.sign.crt -keyfile private/ca.test.private.key -out server/server.crt
在Nginx作相關的配置:
# HTTPS server # server { listen 443 ssl; #server_name a.server; ssl_certificate /home/lianggaohua/ca/server/server.crt; #服務端證書文件 ssl_certificate_key /home/lianggaohua/ca/server/server.key; #服務端私鑰 #ssl_client_certificate /home/lianggaohua/ca/server/ca.test.sign.crt; #CA用於認證客戶端證書 #ssl_verify_client off; #須要驗證客戶端證書的時候須要將參數修改成on ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } location /ngx_status { stub_status on; access_log off; } }
在瀏覽器,須要導入CA的證書。這樣服務端返回服務端證書和公鑰的時候,客戶端經過導入的CA證書便可經過認證。
2.雙向認證
客戶端使用服務端返回的信息驗證服務器的合法性,包括:
驗證經過後,將繼續進行通訊,不然,終止通訊
3、在客戶端生產證書請求,併發送給CA作簽名
#生成帶密碼的客戶端私鑰,密碼000000
openssl genrsa -des3 -out client.key 2048
#生成證書請求,域名須要與服務器端一致
openssl req -new -key client.key -out client.csr
#交給CA作簽名
openssl ca -days 1800 -in client/client.csr -cert private/ca.test.sign.crt -keyfile private/ca.test.private.key -out client/client.crt
#利用返回的公鑰和客戶端證書合成p12文件
openssl pkcs12 -export clcerts -in client.crt -inkey client.key -out client.p12
將p12文件導入到瀏覽器,便可實現雙向認證的過程。
在nginx中配不一樣的端口,實現不一樣的認證方式訪問不一樣的頁面:
server { listen 443 ssl; #server_name b.client; ssl_certificate /home/lianggaohua/ca/server/server.crt; ssl_certificate_key /home/lianggaohua/ca/server/server.key; ssl_client_certificate /home/lianggaohua/ca/server/ca.test.sign.crt; ssl_verify_client on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html1; index index.html index.htm; } location /ngx_status { stub_status on; access_log off; } } server { listen 8443 ssl; #server_name b.client; ssl_certificate /home/lianggaohua/ca/server/server.crt; ssl_certificate_key /home/lianggaohua/ca/server/server.key; ssl_verify_client off; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } location /ngx_status { stub_status on; access_log off; } }