SSL bidirectional authentication

the previous approach was just to implement the 1:1 pattern, and yesterday colleagues continued to implement the N:1 model, and here I'm going to sort it out.

Since Nginx's ssl_client_certificate parameter can only specify a client public key, it is necessary to re-match a server if a client is added to communicate.

The N:1 pattern is implemented through the CA's cascading certificate pattern, first generating a set of CA root-level certificates and then generating level two certificates as client certificates.

at this time, the client private key signature can be verified not only by the corresponding client public key, but also by the public key of the root certificate.

See here should be enlightened, the following simple introduction of how to operate:

1 Preparatory work1.1 OpenSSL Directory Preparation

In general, the configuration files for OpenSSL are in this directory /etc/pki/tls, so:

Mkdir/etc/pki/ca_linvo

Cd/etc/pki/ca_linvo

mkdir root Server client Newcerts

echo > Serial

echo > Crlnumber

Touch Index.txt

1.2 OpenSSL configuration Preparation

Modifying the OpenSSL configuration

vi/etc/pki/tls/openssl.cnf

find this comment out and replace it with the following sentence

#default_ca = Ca_default

Default_ca = Ca_linvo

put [Ca_default] Copy the whole section and change it to the name above. [Ca_linvo]

Modify the following parameters inside:

dir =/etc/pki/ca_linvo

certificate = $dir/ROOT/CA.CRT

private_key = $dir/root/ca.key

Save Exit

2 Create CA root-level certificate generation key:OpenSSL Genrsa-out/etc/pki/ca_linvo/root/ca.key

Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/ROOT/CA.KEY-OUT/ETC/PKI/CA_LINVO/ROOT/CA.CSR

Build CRT:OpenSSL x509-req-days 3650-in/etc/pki/ca_linvo/root/ca.csr-signkey/etc/pki/ca_linvo/root/ca.key-out/ ETC/PKI/CA_LINVO/ROOT/CA.CRT

Generating CRLs:OpenSSL ca-gencrl-out/etc/pki/ca_linvo/root/ca.crl-crldays 7

The generated root-level certificate files are in the /etc/pki/ca_linvo/root/ directory

Note: When creating a certificate, it is recommended that the certificate password be set to the length >=6 bit, because Java's Keytool tool seems to require it.

3 Creating a server certificate

Build key:OpenSSL Genrsa-out/etc/pki/ca_linvo/server/server.key

Generate CSR:OpenSSL REQ-NEW-KEY/ETC/PKI/CA_LINVO/SERVER/SERVER.KEY-OUT/ETC/PKI/CA_LINVO/SERVER/SERVER.CSR

Build CRT:OpenSSL ca-in/etc/pki/ca_linvo/server/server.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca _linvo/root/ca.key-out/etc/pki/ca_linvo/server/server.crt-days 3650

Description

1. The CRT generated here is a cascade certificate under the CA root level certificate, in fact, the server certificate is mainly used to configure the normal one-way https, so do not use cascading mode can also:

OpenSSL Rsa-in/etc/pki/ca_linvo/server/server.key-out/etc/pki/ca_linvo/server/server.key
OpenSSL x509-req-in/etc/pki/ca_linvo/server/server.csr-signkey/etc/pki/ca_linvo/server/server.key-out/etc/pki/ Ca_linvo/server/server.crt-days 3650

2. The-days parameter can set the validity period of the certificate as required, for example, 365 days by default

4 Creating a client certificate

generate Key:openssl Genrsa-des3-out/etc/pki/ca_linvo/client/client.key 1024x768

Generate Csr:openssl REQ-NEW-KEY/ETC/PKI/CA_LINVO/CLIENT/CLIENT.KEY-OUT/ETC/PKI/CA_LINVO/CLIENT/CLIENT.CSR

Generate Crt:openssl Ca-in/etc/pki/ca_linvo/client/client.csr-cert/etc/pki/ca_linvo/root/ca.crt-keyfile/etc/pki/ca _linvo/root/ca.key-out/etc/pki/ca_linvo/client/client.crt-days 3650

Description

1. You must use a cascading certificate here, and you can repeat this step to create multiple sets of client certificates

2, you may encounter the following error when generating the CRT:

OpenSSL txt_db Error number 2 failed to update database

This can be done by reference here.

I'm using method one, coming in index.txt.attr unique_subject = no

5 Configuring Nginx

Only the key parts of the server segment are listed here:

ssl_certificate/etc/pki/ca_linvo/server/server.crt; #server公钥
Ssl_certificate_key/etc/pki/ca_linvo/server/server.key; #server私钥
ssl_client_certificate/etc/pki/ca_linvo/root/ca.crt; #根级证书公钥 for validating each level two client
ssl_verify_client on;

Re-start Nginx

6 Testing6.1 Browser Test because it is a two-way authentication, access to the HTTPS address directly through the browser is known as the "Bad Request" (No required SSL certificate was sent), the client certificate needs to be installed natively. The certificate installed on Windows requires the PFX format, also called P12 format, to be generated as follows:OpenSSL pkcs12-export-inkey/etc/pki/ca_linvo/client/client.key-in/etc/pki/ca_linvo/client/client.crt-out/ Etc/pki/ca_linvo/client/client.pfx
Then you can install it by double-clicking it in Windows, and you will be prompted to enter the password that was set when the certificate was generated. After successful installation, restart the browser input URL access, the browser may prompt you to select the certificate, select the certificate just installed. At this point, some browsers will prompt the user that the certificate is not trusted, the address is not secure, this is because our server certificate is issued by ourselves, rather than the real authority CA Authority promulgated (usually very expensive oh ~), ignoring it can be.The 6.2 php Curl test only lists the key need to set the curl parameters:

curl_setopt ($ch, Curlopt_ssl_verifypeer, false); It's okay to trust any certificate, not the CA Authority        curl_setopt ($ch, Curlopt_ssl_verifyhost, 1);//Check whether the domain name is set in the certificate, or set to 0 if you do not want to verify it        curl_setopt ($ch, Curlopt_verbose, ' 1 '); Debug mode, easy Error debug        curl_setopt ($ch, Curlopt_sslcert, client_crt)//client.crt file path, here I use constants instead of        curl_setopt ($ch , CURLOPT_SSLCERTPASSWD, crt_pwd); CLIENT Certificate Password        curl_setopt ($ch, Curlopt_sslkey, client_key);//client.key file path

If a whiteboard page does not return information, generally the certificate or password is not set correctly, please check.
6.3 PHP Soap Test

The first step is to build the client's PEM format certificate, which is also possible through the OpenSSL command, but because we already have the CRT and key, the manual merge is simple:

Create a new file to -----BEGIN CERTIFICATE----- and -----END CERTIFICATE in the CRT ----- The Base64 content (including these two split lines) is copied into the key -----BEGIN RSA private key----- and -----END RSA private Key----- The content is also copied into, and then saved as CLIENT.PEM.

In fact, it is more convenient to combine two files directly with the following command:

Cat/etc/pki/ca_linvo/client/client.crt/etc/pki/ca_linvo/client/client.key >/etc/pki/ca_linvo/client/ Client.pem

With the Pem file, the following can be called using PHP's built-in SoapClient, and the constructor needs to set the second parameter:

$header = Array (' Local_cert ' = client_pem,//client.pem file path ' passphrase ' = crt_pwd//client certificate password); $client = new Soa Pclient (file_wsdl, $header); FILE_WSDL is the HTTPS address to be accessed

In the last blog, when I finally said that Local_cert was set to a remote path, it would be an error, as if the WSDL was not used for the first time, and it would need to be kept in a cost-free file;

But this test is not a problem, do not save as a local file, direct remote access.

It was supposed to be a problem with the previous certificate, but using the same set of certificates is still possible, it's weird ~~~~~

SSL bidirectional authentication