- 自己制作ssl证书实现双向认证
参考:http://gaoming.blog.51cto.com/822334/1239902
http://seanlook.com/2015/05/28/nginx-ssl/
http://www.w2bc.com/article/42333
- 制作server端证书
命令如下:
openssl genrsa -des3 -out server.key 2048
openssl rsa -in server.key -out server.key #这个是去掉密码,不然你重启nginx之类的都需要这个密码,能保证安全就可以了。
openssl req -new -key server.key -out server.csr
[root@7-node2 ssl]# openssl rsa -in server.key -out server.key
Error opening Private Key server.key
140434819610528:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen(‘server.key’,’r’)
140434819610528:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:
unable to load Private Key
[root@7-node2 ssl]# ls
[root@7-node2 ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
……………………………………………………………………………………………………………………………+++
…+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying – Enter pass phrase for server.key:
[root@7-node2 ssl]# openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
[root@7-node2 ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:fj
Locality Name (eg, city) [Default City]:xiamen
Organization Name (eg, company) [Default Company Ltd]:hanfeishi
Organizational Unit Name (eg, section) []:feishi
Common Name (eg, your name or your server’s hostname) []:ssss.xingou.net.cn
Email Address []:ssss2@abc.com
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@7-node2 ssl]# openssl req -days 365 -new -x509 -keyout ca.key -out ca.crt
Generating a 2048 bit RSA private key
…………………………………………………………………..+++
……………………………………………………………….+++
writing new private key to ‘ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:fj
Locality Name (eg, city) [Default City]:xiamen
Organization Name (eg, company) [Default Company Ltd]:hanfeishi
Organizational Unit Name (eg, section) []:han
Common Name (eg, your name or your server’s hostname) []:ssss.xingou.net.cn
Email Address []:ssss2@abc.com
[root@7-node2 ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10 (0xa)
Validity
Not Before: Aug 8 09:57:18 2016 GMT
Not After : Aug 8 09:57:18 2017 GMT
Subject:
countryName = cn
stateOrProvinceName = fj
organizationName = hanfeishi
organizationalUnitName = feishi
commonName = ssss.xingou.net.cn
emailAddress = ssss2@abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:8C:8B:B9:18:48:94:34:D7:E2:3F:98:EB:70:27:FF:B9:85:D6:5E
X509v3 Authority Key Identifier:
keyid:52:D3:EA:C5:FC:2B:D0:E8:44:AC:67:4C:6A:8B:DF:2E:E0:4C:60:97
Certificate is to be certified until Aug 8 09:57:18 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@7-node2 ssl]# ll
total 24
-rw-r–r– 1 root root 1411 Aug 8 17:57 ca.crt
-rw-r–r– 1 root root 1834 Aug 8 17:57 ca.key
-rw-r–r– 1 root root 4614 Aug 8 17:57 server.crt
-rw-r–r– 1 root root 1054 Aug 8 17:56 server.csr
-rw-r–r– 1 root root 1679 Aug 8 17:55 server.key
[root@7-node2 ssl]# ll -h
total 24K
-rw-r–r– 1 root root 1.4K Aug 8 17:57 ca.crt
-rw-r–r– 1 root root 1.8K Aug 8 17:57 ca.key
-rw-r–r– 1 root root 4.6K Aug 8 17:57 server.crt
-rw-r–r– 1 root root 1.1K Aug 8 17:56 server.csr
-rw-r–r– 1 root root 1.7K Aug 8 17:55 server.key
- 生成ca根证书
openssl req -days 365 -new -x509 -keyout ca.key -out ca.crt
生成的信息要和server生成的基本上填一样,但Organizational Unit Name (eg, section) []:han和email不要一样。
用ca生成server端和client端的crt:
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
[root@7-node2 ssl]# openssl req -days 365 -new -x509 -keyout ca.key -out ca.crt
Generating a 2048 bit RSA private key
…………………………………………………………………..+++
……………………………………………………………….+++
writing new private key to ‘ca.key’
Enter PEM pass phrase:
Verifying – Enter PEM pass phrase:
—–
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:fj
Locality Name (eg, city) [Default City]:xiamen
Organization Name (eg, company) [Default Company Ltd]:hanfeishi
Organizational Unit Name (eg, section) []:han
Common Name (eg, your name or your server’s hostname) []:ssss.xingou.net.cn
Email Address []:ssss2@abc.com
[root@7-node2 ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 10 (0xa)
Validity
Not Before: Aug 8 09:57:18 2016 GMT
Not After : Aug 8 09:57:18 2017 GMT
Subject:
countryName = cn
stateOrProvinceName = fj
organizationName = hanfeishi
organizationalUnitName = feishi
commonName = ssss.xingou.net.cn
emailAddress = ssss2@abc.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
FF:8C:8B:B9:18:48:94:34:D7:E2:3F:98:EB:70:27:FF:B9:85:D6:5E
X509v3 Authority Key Identifier:
keyid:52:D3:EA:C5:FC:2B:D0:E8:44:AC:67:4C:6A:8B:DF:2E:E0:4C:60:97
Certificate is to be certified until Aug 8 09:57:18 2017 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
- 生成客户端的证书
openssl genrsa -des3 -out client.key 2048
openssl req -new -key client.key -out client.csr
填写的内容和server 一样,但Organizational Unit Name (eg, section) []:han和email不要一样。不然生不成crt文件,会报:
failed to update database
TXT_DB error number 2
生成客户端的脚本:
[root@7-node1 ]# cat create_client_ssl.sh openssl genrsa -des3 -out $1.key 2048 && \ openssl req -days 365 -new -key $1.key -out $1.csr && \ openssl ca -in $1.csr -out $1.crt -cert ca.crt -keyfile ca.key && \ openssl pkcs12 -export -in $1.crt -inkey $1.key -out $1.pfx
- 生成pfx文件方便windows导入证书
生成之前的准备工作:
[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件
[root@mail ssl]#echo 01 > /etc/pki/CA/serial
[root@mail ssl]#mkdir /etc/pki/CA/newcerts
openssl pkcs12 -export -in client.crt -inkey client.key -out client.pfx
openssl pkcs12 -export -in ca.crt -inkey ca.key -out ca.pfx
windows需要导入ca.pfx和client.pfx,ca.pfx放在受信任的根证书颁发机构就可以,client.pfx可以放在个人的地方就好了。
[root@7-node2 ssl]# openssl pkcs12 -export -in xingou2.crt -inkey xingou2.key -out xingou2.pfx
Enter pass phrase for xingou2.key:
Enter Export Password: #这个密码是导入导出密码要使用的。
Verifying – Enter Export Password:
[root@7-node2 ssl]#
- nginx配置
nginx默认是没有安装ssl这个模块的,需要加上–with-http_ssl_module
listen 443;
server_name ydyd.com;
index index.html;
ssl on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /application/nginx/conf/ssl/server.crt;
ssl_certificate_key /application/nginx/conf/ssl/server.key;
ssl_client_certificate /application/nginx/conf/ssl/ca.crt;
ssl_verify_client on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
原文链接:自己制作ssl证书实现双向认证,转载请注明来源!