the previous approach was just to implement the 1:1 pattern, and yesterday colleagues continued to implement the N:1 model, and here I'm going to sort it out.
Since Nginx's ssl_client_certificate parameter can only specify a client public key, it is necessary to re-match a server if a client is added to communicate.
The N:1 pattern is implemented through the CA's cascading certificate pattern, first generating a set of CA root-level certificates and then generating level two certificates as client certificates.
at this time, the client private key signature can be verified not only by the corresponding client public key, but also by the public key of the root certificate.
See here should be enlightened, the following simple introduction of how to operate:
1 Preparatory work1.1 OpenSSL Directory Preparation
In general, the configuration files for OpenSSL are in this directory /etc/pki/tls, so:
Mkdir/etc/pki/ca_linvo
Cd/etc/pki/ca_linvo
mkdir root Server client Newcerts
echo > Serial
echo > Crlnumber
Touch Index.txt
1.2 OpenSSL configuration Preparation
Modifying the OpenSSL configuration
vi/etc/pki/tls/openssl.cnf
find this comment out and replace it with the following sentence
#default_ca = Ca_default
Default_ca = Ca_linvo
put [Ca_default] Copy the whole section and change it to the name above. [Ca_linvo]
Modify the following parameters inside:
dir =/etc/pki/ca_linvo
certificate = $dir/ROOT/CA.CRT
private_key = $dir/root/ca.key
Save Exit
2 Create CA root-level certificate generation key:OpenSSL Genrsa-out/etc/pki/ca_linvo/root/ca.key
Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/ROOT/CA.KEY-OUT/ETC/PKI/CA_LINVO/ROOT/CA.CSR
Build CRT:OpenSSL x509-req-days 3650-in/etc/pki/ca_linvo/root/ca.csr-signkey/etc/pki/ca_linvo/root/ca.key-out/ ETC/PKI/CA_LINVO/ROOT/CA.CRT
Generating CRLs:OpenSSL ca-gencrl-out/etc/pki/ca_linvo/root/ca.crl-crldays 7
The generated root-level certificate files are in the /etc/pki/ca_linvo/root/ directory
Note: When creating a certificate, it is recommended that the certificate password be set to the length >=6 bit, because Java's Keytool tool seems to require it.
3 Creating a server certificate
Build key:OpenSSL Genrsa-out/etc/pki/ca_linvo/server/server.key
Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/SERVER/SERVER.KEY-OUT/ETC/PKI/CA_LINVO/SERVER/SERVER.CSR
Build CRT:OpenSSL ca-in/etc/pki/ca_linvo/server/server.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca _linvo/root/ca.key-out/etc/pki/ca_linvo/server/server.crt-days 3650
Description
1. The CRT generated here is a cascade certificate under the CA root level certificate, in fact, the server certificate is mainly used to configure the normal one-way https, so do not use cascading mode can also:
OpenSSL Rsa-in/etc/pki/ca_linvo/server/server.key-out/etc/pki/ca_linvo/server/server.key
OpenSSL x509-req-in/etc/pki/ca_linvo/server/server.csr-signkey/etc/pki/ca_linvo/server/server.key-out/etc/pki/ Ca_linvo/server/server.crt-days 3650
2. The-days parameter can set the validity period of the certificate as required, for example, 365 days by default
4 Creating a client certificate
generate Key:openssl Genrsa-des3-out/etc/pki/ca_linvo/client/client.key 1024x768
Generate Csr:openssl REQ-NEW-KEY/ETC/PKI/CA_LINVO/CLIENT/CLIENT.KEY-OUT/ETC/PKI/CA_LINVO/CLIENT/CLIENT.CSR
Generate Crt:openssl Ca-in/etc/pki/ca_linvo/client/client.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca _linvo/root/ca.key-out/etc/pki/ca_linvo/client/client.crt-days 3650
Description
1. You must use a cascading certificate here, and you can repeat this step to create multiple sets of client certificates
2, you may encounter the following error when generating the CRT:
OpenSSL txt_db Error number 2 failed to update database
This can be done by reference here.
I'm using method one, coming in index.txt.attr unique_subject = no
5 Configuring Nginx
Only the key parts of the server segment are listed here:
ssl_certificate/etc/pki/ca_linvo/server/server.crt; #server公钥
Ssl_certificate_key/etc/pki/ca_linvo/server/server.key; #server私钥
ssl_client_certificate/etc/pki/ca_linvo/root/ca.crt; #根级证书公钥 for validating each level two client
ssl_verify_client on;
Re-start Nginx
6 Testing6.1 Browser Test because it is a two-way authentication, access to the HTTPS address directly through the browser is known as the "Bad Request" (No required SSL certificate was sent), the client certificate needs to be installed natively. The certificate installed on Windows requires the PFX format, also called P12 format, to be generated as follows:OpenSSL pkcs12-export-inkey/etc/pki/ca_linvo/client/client.key-in/etc/pki/ca_linvo/client/client.crt-out/ Etc/pki/ca_linvo/client/client.pfx
Then you can install it by double-clicking it in Windows, and you will be prompted to enter the password that was set when the certificate was generated. After successful installation, restart the browser input URL access, the browser may prompt you to select the certificate, select the certificate just installed. At this point, some browsers will prompt the user that the certificate is not trusted, the address is not secure, this is because our server certificate is issued by ourselves, rather than the real authority CA Authority promulgated (usually very expensive oh ~), ignoring it can be.The 6.2 php Curl test only lists the key need to set the curl parameters:
curl_setopt ($ch, Curlopt_ssl_verifypeer, false); It's okay to trust any certificate, not the CA Authority curl_setopt ($ch, Curlopt_ssl_verifyhost, 1);//Check whether the domain name is set in the certificate, or set to 0 if you do not want to verify it curl_setopt ($ch, Curlopt_verbose, ' 1 '); Debug mode, easy Error debug curl_setopt ($ch, Curlopt_sslcert, client_crt)//client.crt file path, here I use constants instead of curl_setopt ($ch , CURLOPT_SSLCERTPASSWD, crt_pwd); CLIENT Certificate Password curl_setopt ($ch, Curlopt_sslkey, client_key);//client.key file path
If a whiteboard page does not return information, generally the certificate or password is not set correctly, please check.
6.3 PHP Soap Test
The first step is to build the client's PEM format certificate, which is also possible through the OpenSSL command, but because we already have the CRT and key, the manual merge is simple:
Create a new file to -----BEGIN CERTIFICATE----- and -----END CERTIFICATE in the CRT ----- The Base64 content (including these two split lines) is copied into the key -----BEGIN RSA private key----- and -----END RSA private Key----- The content is also copied into, and then saved as CLIENT.PEM.
In fact, it is more convenient to combine two files directly with the following command:
Cat/etc/pki/ca_linvo/client/client.crt/etc/pki/ca_linvo/client/client.key >/etc/pki/ca_linvo/client/ Client.pem
With the Pem file, the following can be called using PHP's built-in SoapClient, and the constructor needs to set the second parameter:
$header = Array (' Local_cert ' = client_pem,//client.pem file path ' passphrase ' = crt_pwd//client certificate password); $client = new Soa Pclient (file_wsdl, $header); FILE_WSDL is the HTTPS address to be accessed
In the last blog, when I finally said that Local_cert was set to a remote path, it would be an error, as if the WSDL was not used for the first time, and it would need to be kept in a cost-free file;
But this test is not a problem, do not save as a local file, direct remote access.
It was supposed to be a problem with the previous certificate, but using the same set of certificates is still possible, it's weird ~~~~~
SSL bidirectional authentication