1、安裝nginx
centos下Nginx安裝配置步驟詳解
http://www.111cn.net/sys/CentOS/80387.htm
windows下安裝nginx 詳解教程
http://www.111cn.net/wy/156/38731.htm
2、使用openssl實現認證中心
由於是使用openssl架設私人認證中心,因此要保證以下欄位在認證中心的認證、服務端認證、用戶端認證中都相同
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name
編輯認證中心設定檔
vim /etc/pki/tls/openssl.cnf
[ CA_default ]
dir = /etc/pki/CA
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number # must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
[ req_distinguished_name ]
countryName = Country Name(2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = FJ
localityName = Locality Name (eg, city)
localityName_default = FZ
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zdz
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = zdz
建立認證私密金鑰
cd /etc/pki/CA/private
(umask 077;openssl genrsa -out cakey.pem 2048)
產生自簽認證
cd /etc/pki/CA/
openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655
3、建立伺服器憑證
mkdir /usr/local/nginx/ssl
cd /usr/local/nginx/ssl
(umask 077;openssl genrsa -out nginx.key 1024)
openssl req -new -key nginx.key -out nginx.csr
openssl ca -in nginx.csr -out nginx.crt -days=3650
4、建立用戶端瀏覽器認證
(umask 077;openssl genrsa -out client.key 1024)
openssl req -new -key client.key -out client.csr
openssl ca -in client.csr -out client.crt -days=3650
將文字格式設定的認證轉換成可以匯入瀏覽器的認證
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
5、配置nginx伺服器驗證
vim /usr/local/nginx/conf/nginx.conf
ssl on;
ssl_certificate /usr/local/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;
ssl_session_timeout 5m;
#ssl_verify_client on; 伺服器驗證用戶端,暫時不開啟,讓沒有認證的用戶端可以訪問,先完成單向驗證
ssl_protocols SSLv2 SSLv3 TLSv1;
點擊“我已充分瞭解可能的風險”
點擊“添加例外”
點擊“確認安全例外”
6、配置雙向驗證
nginx配置開啟ssl_verify_client on;
在用戶端瀏覽器沒有安裝認證的情況下訪問
在用戶端瀏覽器匯入認證
將在Linux伺服器上產生的用戶端認證下載到windows上
開啟Firefox瀏覽器的進階選項卡
在Cert Manager中的您的認證中點擊匯入
選擇認證並匯入
再次重新整理網頁,彈出“使用確認”點擊確定,就實現了雙向驗證
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
