1. Install nginx
How to install and configure Nginx in centos
Http://www.111cn.net/sys/CentOS/80387.htm
How to install nginx in windows
Http://www.111cn.net/wy/156/38731.htm
2. Use openssl to implement the certificate center
Because openssl is used to set up a private certificate center, make sure that the following fields are the same in the certificate center, server certificate, and client certificate.
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name
Edit the certificate center configuration file
Vim/etc/pki/tls/openssl. cnf
[CA_default]
Dir =/etc/pki/CA
Certs = $ dir/certs # Where the issued certs are kept
Crl_dir = $ dir/crl # Where the issued crl are kept
Database = $ dir/index.txt # database index file.
# Unique_subject = no # Set to 'no' to allow creation
# Several ctificates with same subject.
New_certs_dir = $ dir/newcerts # default place for new certs.
Certificate = $ dir/cacert. pem # The CA certificate
Serial = $ dir/serial # The current serial number
Crlnumber = $ dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
Crl = $ dir/crl. pem # The current CRL
Private_key = $ dir/private/cakey. pem # The private key
RANDFILE = $ dir/private/. rand # private random number file
[Req_distinguished_name]
CountryName = Country Name (2 letter code)
CountryName_default = CN
CountryName_min = 2
CountryName_max = 2
StateOrProvinceName = State or Province Name (full name)
StateOrProvinceName_default = FJ
LocalityName = Locality Name (eg, city)
LocalityName_default = FZ
0. organizationName = Organization Name (eg, company)
0. organizationName_default = zdz
OrganizationalUnitName = Organizational Unit Name (eg, section)
OrganizationalUnitName_default = zdz
Create a certificate private key
Cd/etc/pki/CA/private
(Umask 077; openssl genrsa-out cakey. Pem2048)
Self-generated visa document
Cd/etc/pki/CA/
Openssl req-new-x509-key private/cakey. pem-out cacert. pem-days = 3655
3. Create a server certificate
Mkdir/usr/local/nginx/ssl
Cd/usr/local/nginx/ssl
(Umask 077; openssl genrsa-out nginx. key 1024)
Openssl req-new-key nginx. key-out nginx. csr
Openssl ca-in nginx. csr-out nginx. crt-days = 3650
4. Create a client browser certificate
(Umask 077; Open SSL genrsa-out client. key 1024)
Openssl req-new-key client. key-out client. csr
Openssl ca-in client. csr-out client. crt-days = 3650
Convert a certificate in text format to a certificate that can be imported into a browser
Openssl pkcs12-export-clcerts-in client. crt-inkey client. key-out client. p12
5. Configure nginx server verification
Vim/usr/local/nginx/conf/nginx. conf
Ssl on;
Ssl_certificate/usr/local/nginx/ssl/nginx. crt;
Ssl_certificate_key/usr/local/nginx/ssl/nginx. key;
Ssl_client_certificate/usr/local/nginx/ssl/cacert. pem;
Ssl_session_timeout 5 m;
# Ssl_verify_client on
Ssl_protocols SSLv2 SSLv3 TLSv1;
Click "I have fully understood possible risks"
Click "Add exception"
Click "confirm security exceptions"
6. Configure two-way verification
Enable ssl_verify_client on in nginx configuration;
Access
Import certificates in the client browser
Download the client certificate generated on the Linux server to windows
Open the Firefox Advanced tab
In the certificate manager, Click import
Select and import a certificate
Refresh the page again. Click "OK" in the pop-up window to implement two-way verification.