生成Nginx服務器SSL證書和客戶端證書

Nginx服務器SSL證書

生成pass key

下面的命令用於生成一個2048bit的pass key, -passout pass:111111 用於避免交互式輸入密碼

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
.....................+++
e is 65537 (0x10001)

生成key

下面的命令用於生成私鑰, -passin pass:111111是和pass key的密碼對應的, 用於避免交互式輸入密碼

[tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -in server.pass.key -out server.key
writing RSA key

生成證書籤發請求文件(CSR)

下面的命令用於生成csr文件, 這裏須要填寫機構相關信息. 其中CN務必填寫爲對應的服務器域名. 最後那個challenge password, 是這個csr的password

[tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:iSomeone     
Common Name (eg, your name or your server's hostname) []:internal.someone.com
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:

發送CSR文件給CA服務商簽發證書

若是是購買的CA服務商的SSL證書服務, 這一步把CSR發給服務商就能夠了. 收到證書後將內容寫入到 server.pem 文件

在Nginx上這樣配置

server {
    listen       443;
    server_name  www.example.com;

    ssl                  on;
    ssl_certificate      /path/to/ssl/server.pem;
    ssl_certificate_key  /path/to/ssl/server.key;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_session_cache shared:ssl_www_example_com:5m;
    ssl_session_timeout  5m;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
    #...
    location / {
        #...
    }
    #...
}

製做自簽名證書

若是是打算製做自簽名證書, 則進行以下的操做生成pem證書

[tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -in server.csr -signkey server.key -out server.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=iSomeone/CN=internal.someone.com
Getting Private key

 

Nginx客戶端驗證證書

Nginx客戶端驗證證書和服務端SSL證書實際上是不要緊的, 你能夠一邊使用CA簽發的證書, 一邊使用本身製做的客戶端驗證證書.

生成服務器端私鑰

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................................................+++
...................................+++
e is 65537 (0x10001)

[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in ca.pass.key -out ca.key
writing RSA key

 

生成服務器端證書

下面的命令會生成服務器證書ca.pem, 用於配製到nginx.

[tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:iSomeone
Common Name (eg, your name or your server's hostname) []:internal.someone.com
Email Address []:

生成客戶端私鑰

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
.....+++
e is 65537 (0x10001)

[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
writing RSA key

生成客戶端證書籤發請求CSR

[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:Staff
Common Name (eg, your name or your server's hostname) []:Staff
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:201907
An optional company name []:

簽發客戶端證書

下面的命令, 用服務端的私鑰和服務端的證書, 對客戶端的CSR進行簽發, 生成服務端證書. 這裏有一個 -set_serial 01 的參數, 若是簽發多個客戶端證書, 這個數字不能重複

[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
Getting CA Private Key

客戶端證書格式轉換

前面生成的證書, 不能直接用於常見的應用, 須要轉換成應用須要的格式

Full PEM:

[tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem

PFX - 這裏輸入的export password, 就是應用導入PFX證書時須要輸入的密碼.

[tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
Enter Export Password:
Verifying - Enter Export Password:

 

配置Nginx的客戶端驗證證書

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client optional; # or `on` if you require client key