[Graphic] nginx configuration ssl two-way authentication and nginx https ssl certificate Configuration tutorial

Source: Internet
Author: User
Tags openssl centos nginx server ssl certificate

1. Install nginx

How to install and configure Nginx in centos
Http://www.111cn.net/sys/CentOS/80387.htm

How to install nginx in windows
Http://www.111cn.net/wy/156/38731.htm

2. Use openssl to implement the certificate center


Because openssl is used to set up a private certificate center, make sure that the following fields are the same in the certificate center, server certificate, and client certificate.
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name

 

Edit the certificate center configuration file
Vim/etc/pki/tls/openssl. cnf
[CA_default]
Dir =/etc/pki/CA
Certs = $ dir/certs # Where the issued certs are kept
Crl_dir = $ dir/crl # Where the issued crl are kept
Database = $ dir/index.txt # database index file.
# Unique_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/newcerts # default place for new certs.
Certificate = $ dir/cacert. pem # The CA certificate
Serial = $ dir/serial # The current serial number
Crlnumber = $ dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
Crl = $ dir/crl. pem # The current CRL
Private_key = $ dir/private/cakey. pem # The private key
RANDFILE = $ dir/private/. rand # private random number file
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN
CountryName_min = 2
CountryName_max = 2
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = FJ
LocalityName = Locality Name (eg, city)
LocalityName_default = FZ
0. organizationName = Organization Name (eg, company)
0. organizationName_default = zdz
OrganizationalUnitName = Organizational Unit Name (eg, section)
OrganizationalUnitName_default = zdz

Create a certificate private key
Cd/etc/pki/CA/private
(Umask 077; openssl genrsa-out cakey. Pem2048)

Self-generated visa document
Cd/etc/pki/CA/
Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days = 3655

3. Create a server certificate

Mkdir/usr/local/nginx/ssl
Cd/usr/local/nginx/ssl
(Umask 077; openssl genrsa-out nginx. key 1024)
Openssl req-new-key nginx. key-out nginx. csr
Openssl ca-in nginx. csr-out nginx. crt-days = 3650

4. Create a client browser certificate


(Umask 077; Open SSL genrsa-out client. key 1024)
Openssl req-new-key client. key-out client. csr
Openssl ca-in client. csr-out client. crt-days = 3650
Convert a certificate in text format to a certificate that can be imported into a browser
Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. p12

5. Configure nginx server verification

Vim/usr/local/nginx/conf/nginx. conf
Ssl on;
Ssl_certificate/usr/local/nginx/ssl/nginx. crt;
Ssl_certificate_key/usr/local/nginx/ssl/nginx. key;
Ssl_client_certificate/usr/local/nginx/ssl/cacert. pem;
Ssl_session_timeout 5 m;
# Ssl_verify_client on
Ssl_protocols SSLv2 SSLv3 TLSv1;

 

 

Click "I have fully understood possible risks"

 

 

Click "Add exception"

 

 

Click "confirm security exceptions"

 

 

6. Configure two-way verification

Enable ssl_verify_client on in nginx configuration;

Access

 

 

Import certificates in the client browser

 

 

Download the client certificate generated on the Linux server to windows

 

 

Open the Firefox Advanced tab

 

 

In the certificate manager, Click import

 

 

Select and import a certificate

 

 

Refresh the page again. Click "OK" in the pop-up window to implement two-way verification.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.