SSL bidirectional authentication (HD version)

Source: Internet
Author: User
Tags begin rsa private key generate csr openssl rsa openssl x509 vars ssl certificate

This paper introduces some basic problems of SSL bidirectional authentication, and uses nginx+php to build HTTPS webservice based on it.

The previous approach was just to implement the 1:1 pattern, and yesterday colleagues continued to implement the N:1 model, and here I'm going to sort it out.

Since Nginx's ssl_client_certificate parameter can only specify a client public key, it is necessary to re-match a server if a client is added to communicate.

The N:1 pattern is implemented through the CA's cascading certificate pattern, first generating a set of CA root-level certificates and then generating level two certificates as client certificates.

At this time, the client private key signature can be verified not only by the corresponding client public key, but also by the public key of the root certificate.

See here should be enlightened, the following simple introduction of how to operate:

1 Preparation for 1.1 OpenSSL directory preparation

In general, the configuration files for OpenSSL are in this directory /etc/pki/tls, so:

Mkdir/etc/pki/ca_linvo

Cd/etc/pki/ca_linvo

mkdir root Server Client Newcerts

echo > Serial

echo > Crlnumber

Touch Index.txt

1.2 OpenSSL configuration Preparation

Modifying the OpenSSL configuration

Vi/etc/pki/tls/openssl.cnf

Find this comment out and replace it with the following sentence

#default_ca = Ca_default

Default_ca = Ca_linvo

Make a copy of the whole section and change it to the name above [Ca_linvo]

Modify the following parameters inside:

DIR =/etc/pki/ca_linvo

Certificate = $dir/ROOT/CA.CRT

Private_key = $dir/root/ca.key

Save exit

2 Create CA root-level certificate generation key:OpenSSL Genrsa-out/etc/pki/ca_linvo/root/ca.key

Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/ROOT/CA.KEY-OUT/ETC/PKI/CA_LINVO/ROOT/CA.CSR

Build CRT:OpenSSL x509-req-days 3650-in/etc/pki/ca_linvo/root/ca.csr-signkey/etc/pki/ca_linvo/root/ca.key-out/ ETC/PKI/CA_LINVO/ROOT/CA.CRT

Generating CRLs:OpenSSL ca-gencrl-out/etc/pki/ca_linvo/root/ca.crl-crldays 7

The generated root-level certificate files are in the /etc/pki/ca_linvo/root/ directory

Note: When creating a certificate, it is recommended that the certificate password be set to the length >=6 bit, because Java's Keytool tool seems to require it.

3 Creating a server certificate

Build key:OpenSSL Genrsa-out/etc/pki/ca_linvo/server/server.key

Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/SERVER/SERVER.KEY-OUT/ETC/PKI/CA_LINVO/SERVER/SERVER.CSR

Build CRT:OpenSSL ca-in/etc/pki/ca_linvo/server/server.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca _linvo/root/ca.key-out/etc/pki/ca_linvo/server/server.crt-days 3650

Description

1. The CRT generated here is a cascade certificate under the CA root level certificate, in fact, the server certificate is mainly used to configure the normal one-way https, so do not use cascading mode can also:

OpenSSL Rsa-in/etc/pki/ca_linvo/server/server.key-out/etc/pki/ca_linvo/server/server.key
OpenSSL x509-req-in/etc/pki/ca_linvo/server/server.csr-signkey/etc/pki/ca_linvo/server/server.key-out/etc/pki/ Ca_linvo/server/server.crt-days 3650

2. The-days parameter can set the validity period of the certificate as required, for example, 365 days by default

4 Creating a client certificate

Build Key:openssl Genrsa-des3-out/etc/pki/ca_linvo/client/client.key 1024

Generate Csr:openssl REQ-NEW-KEY/ETC/PKI/CA_LINVO/CLIENT/CLIENT.KEY-OUT/ETC/PKI/CA_LINVO/CLIENT/CLIENT.CSR

Generate Crt:openssl Ca-in/etc/pki/ca_linvo/client/client.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca_ Linvo/root/ca.key-out/etc/pki/ca_linvo/client/client.crt-days 3650

Description

1. You must use a cascading certificate here, and you can repeat this step to create multiple sets of client certificates

2, you may encounter the following error when generating the CRT:

OpenSSL txt_db Error number 2 failed to update database

This can be done by reference here.

I'm using method one, coming in index.txt.attr unique_subject = no

5 Configuring Nginx

Only the key parts of the server segment are listed here:

SSL_CERTIFICATE/ETC/PKI/CA_LINVO/SERVER/SERVER.CRT; #server公钥
Ssl_certificate_key/etc/pki/ca_linvo/server/server.key; #server私钥
SSL_CLIENT_CERTIFICATE/ETC/PKI/CA_LINVO/ROOT/CA.CRT; #根级证书公钥 for validating each level two client
Ssl_verify_client on;

Re-start Nginx

6 Test 6.1 Browser test because it is two-way authentication, accessing the HTTPS address directly through the browser is the defendant knowing the bad Request (No required SSL certificate is sent), the client certificate needs to be installed natively. The certificate installed on Windows requires the PFX format, also called P12 format, to be generated as follows:OpenSSL pkcs12-export-inkey/etc/pki/ca_linvo/client/client.key-in/etc/pki/ca_linvo/client/client.crt-out/ Etc/pki/ca_linvo/client/client.pfx
Then you can install it by double-clicking it in Windows, and you will be prompted to enter the password that was set when the certificate was generated. After successful installation, restart the browser input URL access, the browser may prompt you to select the certificate, select the certificate just installed. At this point, some browsers will prompt the user that the certificate is not trusted, the address is not secure, this is because our server certificate is issued by ourselves, rather than the real authority CA Authority promulgated (usually very expensive oh ~), ignoring it can be. The 6.2 php Curl test only lists the key need to set the curl parameters:
  1. curl_setopt ($ch, Curlopt_ssl_verifypeer, false); //Trust any certificate, not issued by the CA agency also okay
  2. curl_setopt ($ch, curlopt_ssl_verifyhost, 1); //Check whether the domain name is set in the certificate and can be set to 0 if you do not want to verify
  3. curl_setopt ($ch, Curlopt_verbose, ' 1 '); //debug mode for easy error debugging
  4. curl_setopt ($ch, Curlopt_sslcert, CLIENT_CRT); //client.crt file path, here I use constants instead
  5. curl_setopt ($ch, curlopt_sslcertpasswd, crt_pwd); //client Certificate Password
  6. curl_setopt ($ch, Curlopt_sslkey, Client_key); //client.key file path
If a whiteboard page does not return information, generally the certificate or password is not set correctly, please check.
6.3 PHP Soap Test

The first step is to build the client's PEM format certificate, which is also possible through the OpenSSL command, but because we already have the CRT and key, the manual merge is simple:

Create a new file to copy the base64 content (including the two split lines) between the-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----In the CRT, and then The contents of the-----BEGIN RSA private key-----and The-----END RSA private Key-----are also copied into the key, and then saved as CLIENT.PEM.

In fact, it is more convenient to combine two files directly with the following command:

Cat/etc/pki/ca_linvo/client/client.crt/etc/pki/ca_linvo/client/client.key >/etc/pki/ca_linvo/client/ Client.pem

With the Pem file, the following can be called using PHP's built-in SoapClient, and the constructor needs to set the second parameter:

    1. $header = Array (
    2. ' local_cert ' = Client_pem, //client.pem file path
    3. ' passphrase ' = crt_pwd //client certificate Password
    4. );
    5. $client = New SoapClient (file_wsdl, $header); //FILE_WSDL is the HTTPS address to be accessed

In the last blog, when I finally said that Local_cert was set to a remote path, it would be an error, as if the WSDL was not used for the first time, and it would need to be kept in a cost-free file;

But this test is not a problem, do not save as a local file, direct remote access.

It was supposed to be a problem with the previous certificate, but using the same set of certificates is still possible, it's weird ~~~~~


SSL bidirectional authentication (HD version)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.