1, installation Nginx slightly
Http://www.jb51.net/article/49479.htm
2. Use OpenSSL to realize Certificate center
because you are using OpenSSL to set up a private certificate center, make sure that the following fields are the same in Certificate Center certificates, server side certificates, client certificates
Country Name
State or province Name
Locality Name
Organization Name
Organizational Unit Name
Edit Certificate Center Profile
Vim/etc/pki/tls/openssl.cnf
[Ca_default]
DIR =/etc/pki/ca
Certs = $dir/certs # Where The issued certs are kept
Crl_dir = $dir/CRL # Where The issued CRL are kept
Database = $dir/index.txt # database index file.
#unique_subject = no # Set to ' no ' to allow creation of
# several ctificates with same subject.
New_certs_dir = $dir/newcerts # Default place for new certs.
Certificate = $dir/cacert.pem # the CA certificate
serial = $dir/serial # The current serial number
Crlnumber = $dir/crlnumber # The current CRL number # must is commente D out to leave a V1 CRL
CRL = $dir/crl.pem # The current CRL
Private_key = $dir/private/cakey.pem# the private key
Randfile = $dir/private/.rand # private random number file
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
Countryname_default = CN
Countryname_min = 2
Countryname_max = 2
Stateorprovincename = State or province name (full name)
Stateorprovincename_default = FJ
Localityname = locality Name (eg, city)
Localityname_default = FZ
0.organizationName = Organization Name (eg, company)
0.organizationname_default = Zdz
Organizationalunitname = organizational unit Name (eg, section)
Organizationalunitname_default = Zdz
Create Certificate private key
Cd/etc/pki/ca/private
(Umask 077;openssl genrsa-out CAKEY.PEM 2048)
Generate self-signed certificate
cd/etc/pki/ca/
OpenSSL Req-new-x509-key private/cakey.pem-out cacert.pem-days=3655
3. Create server Certificate
Mkdir/usr/local/nginx/ssl
Cd/usr/local/nginx/ssl
(umask 077;openssl genrsa-out nginx.key 1024)
OpenSSL Req-new-key nginx.key-out NGINX.CSR
OpenSSL ca-in nginx.csr-out nginx.crt-days=3650
4. Create a client browser certificate
(umask 077;openssl genrsa-out client.key 1024)
OpenSSL Req-new-key client.key-out CLIENT.CSR
OpenSSL ca-in client.csr-out client.crt-days=3650
Convert a certificate in text format to a certificate that can be imported into a browser
OpenSSL pkcs12-export-clcerts-in Client.crt-inkey client.key-out client.p12
5. Configure Nginx Server Authentication
vim/usr/local/nginx/conf/nginx.conf
SSL on;
SSL_CERTIFICATE/USR/LOCAL/NGINX/SSL/NGINX.CRT;
Ssl_certificate_key/usr/local/nginx/ssl/nginx.key;
SSL_CLIENT_CERTIFICATE/USR/LOCAL/NGINX/SSL/CACERT.PEM;
Ssl_session_timeout 5m;
#ssl_verify_client on; Server Authentication client, temporarily does not open, let the client without certificate can access, complete one-way verification first
Ssl_protocols SSLv2 SSLv3 TLSv1;
Click on "I have fully understood the possible risks"
Click "Add Exception"
Click "Confirm Security Exception"
6, configure two-way authentication
nginx configuration open ssl_verify_client on;
Access if the client browser does not have a certificate installed
Import a certificate in the client browser
Download the client certificate generated on the Linux server to Windows
Open Firefox Advanced tab
Click Import in your Certificate in Certificate Manager
Select the certificate and import
to refresh the Web page again, pop-up "use confirmation" and click OK to achieve two-way validation
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
