[Graphic] nginx configuration ssl two-way authentication and nginx https ssl certificate Configuration tutorial

1. Install nginx

How to install and configure Nginx in centos
Http://www.111cn.net/sys/CentOS/80387.htm

How to install nginx in windows
Http://www.111cn.net/wy/156/38731.htm

2. Use openssl to implement the certificate center

Because openssl is used to set up a private certificate center, make sure that the following fields are the same in the certificate center, server certificate, and client certificate.
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name

 

Edit the certificate center configuration file
Vim/etc/pki/tls/openssl. cnf
[CA_default]
Dir =/etc/pki/CA
Certs = $ dir/certs # Where the issued certs are kept
Crl_dir = $ dir/crl # Where the issued crl are kept
Database = $ dir/index.txt # database index file.
# Unique_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/newcerts # default place for new certs.
Certificate = $ dir/cacert. pem # The CA certificate
Serial = $ dir/serial # The current serial number
Crlnumber = $ dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
Crl = $ dir/crl. pem # The current CRL
Private_key = $ dir/private/cakey. pem # The private key
RANDFILE = $ dir/private/. rand # private random number file
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN
CountryName_min = 2
CountryName_max = 2
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = FJ
LocalityName = Locality Name (eg, city)
LocalityName_default = FZ
0. organizationName = Organization Name (eg, company)
0. organizationName_default = zdz
OrganizationalUnitName = Organizational Unit Name (eg, section)
OrganizationalUnitName_default = zdz

Create a certificate private key
Cd/etc/pki/CA/private
(Umask 077; openssl genrsa-out cakey. Pem2048)

Self-generated visa document
Cd/etc/pki/CA/
Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days = 3655

3. Create a server certificate

Mkdir/usr/local/nginx/ssl
Cd/usr/local/nginx/ssl
(Umask 077; openssl genrsa-out nginx. key 1024)
Openssl req-new-key nginx. key-out nginx. csr
Openssl ca-in nginx. csr-out nginx. crt-days = 3650

4. Create a client browser certificate

(Umask 077; Open SSL genrsa-out client. key 1024)
Openssl req-new-key client. key-out client. csr
Openssl ca-in client. csr-out client. crt-days = 3650
Convert a certificate in text format to a certificate that can be imported into a browser
Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. p12

5. Configure nginx server verification

Vim/usr/local/nginx/conf/nginx. conf
Ssl on;
Ssl_certificate/usr/local/nginx/ssl/nginx. crt;
Ssl_certificate_key/usr/local/nginx/ssl/nginx. key;
Ssl_client_certificate/usr/local/nginx/ssl/cacert. pem;
Ssl_session_timeout 5 m;
# Ssl_verify_client on
Ssl_protocols SSLv2 SSLv3 TLSv1;

 

 

Click "I have fully understood possible risks"

 

 

Click "Add exception"

 

 

Click "confirm security exceptions"

 

 

6. Configure two-way verification

Enable ssl_verify_client on in nginx configuration;

Access

 

 

Import certificates in the client browser

 

 

Download the client certificate generated on the Linux server to windows

 

 

Open the Firefox Advanced tab

 

 

In the certificate manager, Click import

 

 

Select and import a certificate

 

 

Refresh the page again. Click "OK" in the pop-up window to implement two-way verification.