NGINX SSL 的雙向認證

SSL工做原理

SSL的四次握手的過程

   以http+ssl爲例!

 用戶使用我的PC，想上招行的網銀，將輸入比較重要的卡號，密碼信息。此時，確定要加密方式傳輸數據（對稱加密大量信息），而且要肯定對方肯定是招行網站。

ClientHTTPS Server

 一、首先客戶端向服務器發送一個SSL的請求包，要求進行安全的會話，請證實你的身份，而且咱們雙方來協商一下一會將用對對稱加密算法,數字簽名算法。。。。。。

  －－－－－－－－－－－－－－－－－＞

  二、HTTPS server收到請求後，響應client，把S證書傳給client

  ＜－－－－－－－－－－－－－－－－

三、Client須要驗證S證書，client會有CA的證書,能夠對S證書進行驗證(看是否能夠解密，再看標識［服務器域名／主機名］是否對得上)。

   Client須要產生一把對稱加密的KEY，經過S公鑰把KEY加密，而後傳給Server

 －－－－－－－－－－－－－－－－－－－＞

四、HTTPS Server用本身的私鑰解密獲得KEY。隨機產生一些信息，用KEY加密，傳給Client。

  ＜－－－－－－－－－－－－－－－－－－－－

    接下來，雙方經過KEY加密頁面數據，安全傳輸

  ＜－－－－－－－－－－－－－－－－－－－－－＞

自簽發證書實現過程：

1.首先要生成服務器端的私鑰(key文件):

Cd /usr/local/nginx/conf/ssl

Shell#openssl genrsa -des3 -out server.key 2048

運行時會提示輸入密碼,此密碼用於加密key文件(參數des3即是指加密算法,固然也能夠選用其餘你認爲安全的算法.),之後每當需讀取此文件(經過openssl提供的命令或API)都需輸入口令.若是以爲不方便,也能夠去除這個口令,但必定要採起其餘的保護措施!

去除key文件口令的命令:
#openssl rsa -in server.key -out server.key

注：執行這個命令時啓動NGINX 不須要輸入密碼

2.用server.key生成一個證書：

[root@mail ssl]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:uplooking

Organizational Unit Name (eg, section) []:uplooking

Common Name (eg, your name or your server's hostname) []:lvs.xxx.com

Email Address []:liuyonglong@120.net

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

生成Certificate Signing Request（CSR）,生成的csr文件交給CA簽名後造成服務端本身的證書.按照提示提供服務器證書基本信息

3.       對客戶端也做一樣的命令生成key及csr文件

[root@mail ssl]# openssl genrsa -des3 -out client.key 2048

[root@mail ssl]# openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:uplooking

Organizational Unit Name (eg, section) []:uplooking

Common Name (eg, your name or your server's hostname) []:lvs.xxx.com

Email Address []:liuyonglong@120.net

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

4.       生成的CSR證書文件必須有CA的簽名纔可造成證書.這裏製做本身的CA 這時生成一個KEY文件ca.key 和根證書ca.crt

[root@mail ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt

Generating a 1024 bit RSA private key

.............++++++

...........++++++

writing new private key to 'sfnca.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:ca

Organizational Unit Name (eg, section) []:ca

Common Name (eg, your name or your server's hostname) []:mail.ca.cn

Email Address []:admin@ca.cn

簽署證書準備工做：

[root@mail ssl]# vim /etc/pki/tls/openssl.cnf

#dir            = ../../CA      //修改以下

dir             = /etc/pki/CA

[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根據openssl.cnf生成配置文件

[root@mail ssl]#echo 01 > /etc/pki/CA/serial

[root@mail ssl]#mkdir /etc/pki/CA/newcerts

5. 用生成的CA的證書(ca.crt)爲剛纔生成的server.csr,client.csr文件簽名

[root@mail ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 3 (0x3)

       Validity

           Not Before: Nov 29 03:48:44 2010 GMT

           Not After : Nov 29 03:48:44 2011 GMT

       Subject:

           countryName               = cn

           stateOrProvinceName       = cn

           organizationName          = uplooking

           organizationalUnitName    = uplooking

           commonName                = lvs.xxx.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB

           X509v3 Authority Key Identifier:

               keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7

Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key  //簽署步驟同上

另外，這個certificate是BASE64形式的,要轉成PKCS12才能裝到IE,/NETSCAPE上.轉換以下：

雙擊安裝就行

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

這個是ISO 須要的證書格式

openssl x509 -in client.crt -out client.cer

這個是android 須要的證書格式。

[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out  client.pfx

Enter pass phrase for client.key:      //客戶端私鑰密碼

Enter Export Password:             //pfx文件導入要求的密碼

Verifying - Enter Export Password:

client使用的文件有：ca.crt,client.crt,client.key,client.pfx

server使用的文件有：ca.crt, server.crt,server.key

配置nginx以下：

ssl on;

ssl_certificate ssl/server.crt;

ssl_certificate_key ssl/server.key;

#ssl_client_certificate ssl/client/client.crt ;

ssl_client_certificate ssl/ca.crt ;              //CA證書

ssl_verify_client on;                         //開啓客戶端雙向認證

#ssl_protocols  SSLv2 SSLv3 TLSv1;

#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

#ssl_prefer_server_ciphers   on;

證書安裝及使用把剛纔生成的證書：根證書ca.crt和客戶證書client.crt(client.pfx)安裝到客戶端，
ca.crt安裝到信任的機構，client.crt直接在windows安裝或安裝到我的證書位置，
而後用IP訪問HTTP和https服務器。在IE中咱們通常導入client.pfx證書，
導入時會提示上面設置的密碼。 123456

測試https://lvs.xxx.com