SSL two-way authentication (HD version)

The previous article introduced some basic questions about SSL two-way authentication and used nginx + PHP to build https-based WebService.

The previous method only implemented the mode. Yesterday, my colleagues continued to implement the N: 1 mode. Here I will record it again.

Because the ssl_client_certificate parameter of nginx can only specify one client public key, if a client is added for communication, a server is required.

The N: 1 mode is implemented through the CA cascade certificate mode. FirstYourselfGenerate a CA root certificate, and then use it to generate a second-level certificate as the client certificate.

In this case, the Client Private Key signature can be verified not only through the corresponding client public key, but also through the public key of the root certificate.

We can see that it should be clear here. The following describes how to perform this operation:

1 Preparation 1.1 OpenSSL directory preparation

Generally, OpenSSL configuration files are stored in this directory./Etc/pki/tls, So:

Mkdir/etc/pki/ca_linvo

CD/etc/pki/ca_linvo

Mkdir root server client newcerts

Echo 01> serial

Echo 01> crlnumber

Touch index.txt

1.2 OpenSSL configuration preparation

Modify OpenSSL configurations

VI/etc/pki/tls/OpenSSL. CNF

Comment out this sentence and replace it with the following sentence

# Default_ca = ca_default

Default_ca = ca_linvo

Copy the entire [ca_default] Part and change it to the above name [
Ca_linvo]

Modify the following parameters:

Dir =/etc/pki/ca_linvo

Certificate = $ DIR/root/CA. CRT

Private_key = $ DIR/root/CA. Key

Save and exit

2. Create a CA root certificate to generate the key: OpenSSL genrsa-out/etc/pki/ca_linvo/root/CA. Key

CSR generation: OpenSSL req-New-key/etc/pki/ca_linvo/root/CA. Key-out/etc/pki/ca_linvo/root/CA. CSR

Generate a CRT: OpenSSL X509-req-days 3650-in/etc/pki/ca_linvo/root/CA. CSR-signkey/etc/pki/ca_linvo/root/CA. key-out/etc/pki/ca_linvo/root/CA. CRT

Generate CRL: OpenSSL ca-gencrl-out/etc/pki/ca_linvo/root/CA. CRL-crldays 7

The generated root-level certificate files are in/Etc/pki/ca_linvo/root/Directory

Note: When creating a certificate, we recommend that you set the certificate password length to> = 6 characters, because the Java keytool seems to have requirements for it.

3. Create a server certificate

Generate key: OpenSSL genrsa-out/etc/pki/ca_linvo/Server/server. Key

CSR generation: OpenSSL req-New-key/etc/pki/ca_linvo/Server/server. Key-out/etc/pki/ca_linvo/Server/server. CSR

Generate CRT: OpenSSL ca-in/etc/pki/ca_linvo/Server/server. CSR-Cert/etc/pki/ca_linvo/root/CA. CRT-Keyfile/etc/pki/ca_linvo/root/CA. key-out/etc/pki/ca_linvo/Server/server. * CRT-days 3650

Note:

1. The generated CRT is the cascade certificate under the CA root certificate just now. In fact, the server certificate is mainly used to configure normal one-way https, so you can do it without using the cascade mode:

OpenSSL RSA-in/etc/pki/ca_linvo/Server/server. Key-out/etc/pki/ca_linvo/Server/server. Key
OpenSSL X509-req-in/etc/pki/ca_linvo/Server/server. CSR-signkey/etc/pki/ca_linvo/Server/server. key-out/etc/pki/ca_linvo/Server/server. * CRT-days 3650

2. You can set the validity period of the certificate based on the-days parameter. For example, the default value is 365 days.

4. Create a client certificate

Key Generation: OpenSSL genrsa-des3-out/etc/pki/ca_linvo/client. Key 1024

CSR generation: OpenSSL req-New-key/etc/pki/ca_linvo/client. Key-out/etc/pki/ca_linvo/client. CSR

Generate CRT: OpenSSL ca-in/etc/pki/ca_linvo/client. CSR-Cert/etc/pki/ca_linvo/root/CA. CRT-Keyfile/etc/pki/ca_linvo/root/CA. key-out/etc/pki/ca_linvo/client. * CRT-days 3650

Note:

1. here you must use a cascading certificate. You can repeat this step to create multiple client certificates.

2. the following error may occur when a CRT is generated:

OpenSSL txt_db error number 2 failed to update database

Refer to here for operations.

I am using method 1, coming soonIndex.txt. ATTRUnique_subject = No

5 configure nginx

Here, only the key parts of the server segment are listed:

Ssl_certificate/etc/pki/ca_linvo/Server/server. CRT; # server Public Key
Ssl_certificate_key/etc/pki/ca_linvo/Server/server. Key; # server Private Key
Ssl_client_certificate/etc/pki/ca_linvo/root/CA. CRT; # The root-level certificate public key, used to verify each level-2 client
Ssl_verify_client on;

Restart nginx

6. Test the 6.1 browser test because of the two-way authentication, the 400 bad request (no required SSL certificate was sent) is notified to access the HTTPS address through the browser. The client certificate must be installed on the local machine. Certificates installed on windows must be in pfx format, or p12 format. The generated method is as follows: OpenSSL PKCS12-export-inkey/etc/pki/ca_linvo/client. key-in/etc/pki/ca_linvo/client. CRT-out/etc/pki/ca_linvo/client. double-click pfx in Windows to install pfx. During installation, you are prompted to enter the password set during certificate generation. After the installation is successful, restart the browser and enter the URL to access the website. The browser may prompt you to select a certificate and select the certificate you just installed. In this case, Some browsers will prompt users that the certificate is untrusted and the address is insecure. This is because our server certificate is issued by ourselves, rather than being issued by an authoritative Ca (usually very expensive ~), Ignore it. 6.2 PHP curl test here only lists the key curl parameters to be set:

Curl_setopt ($ ch, curlopt_ssl_verifypeer, false); // trust any certificate. It does not matter if it is not issued by the ca. curl_setopt ($ ch, curlopt_ssl_verifyhost, 1 ); // check whether the domain name is set in the certificate. If you do not want to verify it, you can set it to 0 curl_setopt ($ ch, curlopt_verbose, '1'); // debug mode, easy error debugging: curl_setopt ($ ch, curlopt_sslcert, client_crt); // client. CRT file path. Here I use a constant instead of curl_setopt ($ ch, curlopt_sslcertpasswd, crt_pwd); // client certificate password curl_setopt ($ ch, curlopt_sslkey, client_key); // client. key File Path

If no information is returned on the whiteboard page, check whether the certificate or password is correctly set. 6.3 PHP soap Test

First, you need to build the PEM certificate of the client. You can also use the OpenSSL command. However, because we already have CRT and key, it is easy to manually merge them:

Create a new fileCRT----- Begin certificate ----- and ----- end certificate ----- copy the base64 content (including the two split lines), and thenKey----- Begin RSA private key ----- and ----- end
The contents of RSA private key ----- are also copied and saved as client. pem.

In fact, you can run the following command to directly merge two files:

CAT/etc/pki/ca_linvo/client. CRT/etc/pki/ca_linvo/client. Key>/etc/pki/ca_linvo/client. pem

With the PEM file, you can use the PHP built-in soapclient to call it. The constructor needs to set the second parameter:

$ Header = array ('local _ cert' => client_pem, // client. PEM file path 'passphrase' => crt_pwd // client certificate password); $ client = new soapclient (file_wsdl, $ header); // file_wsdl is the HTTPS address to be accessed

In the last blog, if local_cert is set to a remote path, an error will be reported, as if it was because the client certificate was not used when the first time the WSDL was obtained, and the WSDL files must be called at a cost;

However, this test is okay. You don't need to save it as a local file and you can directly obtain it remotely.

I thought it was a problem with the previous certificate, but the previous certificate can still be used, which is very strange ~~~~~