Https, OpenSSL self-built CA certificate and issuing certificate, Nginx one-way authentication, two-way authentication and using Java access

0. Environment

Installation of Nginx, installation of OpenSSL

1. Configuration and scripting

First create a demo directory (the location of their own choice, I choose to build in the Nginx directory):

mkdir /etc/nginx/ca-/etc/nginx/ca-demo

Modify the SSL configuration openssl.cnf (also may be openssl.conf, do not know where to find with FIND-NAME/OPENSSL.CNF)

Change the Dir property to your previous step self-built directory, do not use relative path , will trample pits, save,

I like automation, so I wrote three scripts like this, and I can use them directly:

Ca.sh:

#!/bin/bash#create directory hierarchy. Creating a Catalog StructureTouchindex.txt Serialchmod 666index.txt SerialEcho  on>Serialmkdir-P Newcerts Private
#生成RSA密钥对openssl Genrsa-des3-out./private/cakey.pem2048#openssl req-new-days365-key./PRIVATE/CAKEY.PEM-Out Ca.csr#openssl CA-selfsign-inchCA.CSR-Out ca.crt# one step. Build Csr,crt, direct 10-year use OpenSSL req-new-x509-days3650-key./private/cakey.pem-out CA.CRT

Server.sh:

#!/bin/bash# issues a server certificate mkdir-out./server/-new-key./ server/-in3650

Client.sh:

#!/bin/bash# Issue client certificate mkdir2048-new-key./client/client.key-out. client/-in"/etc/ssl/openssl.cnf"-export-clcerts-  in./client/client.crt-inkey./client/client.key-out./client/client.p12

All of the above three scripts can be found in Https://github.com/dreamingodd/CA-generation-demo

Copy the above three scripts into your own demo directory, as follows:

Join Run Permissions:

chmod +x *. SH

The results are as follows:

Not to be continued ...

To be Continued ...

Https, OpenSSL self-built CA certificate and issuing certificate, Nginx one-way authentication, two-way authentication and using Java access