30.1 文檔目的... 2
30.2 文檔內容... 2
30.3 單向認證與雙向認證的概念... 2
30.3.1 什麼是單向認證... 2
30.3.2 什麼是雙向認證... 2
30.4 openssl的介紹... 3
30.5 Nginx單雙向ssl的配置前提... 4
30.6 使用openssl製作證書... 4
30.6.1 服務器單項認證... 4
30.6.1.1 創建並進入sslkey存放目錄... 4
30.6.1.2 生成RSA密鑰... 4
30.6.1.3 生成一個證書請求... 5
30.6.1.4 修改nginx的主配置文件... 5
30.6.1.5 驗證結果... 7
30.6.2 服務器客戶端雙向認證... 7
30.6.2.1 分別創建證書各自存放目錄... 7
30.6.2.2 使用腳本創建新根CA證書... 9
30.6.2.3 使用腳本生成服務器證書... 12
30.6.2.4 配置Nginx的主配置文件... 16
30.6.2.5 驗證結果... 18
30.6.2.6 訪問出現400 BadReques解決辦法生成客戶端證書... 18
30.6.2.7 再次驗證結果... 23
30.6.2.8 做Nginx-SSL注意事項... 24
30.1 文檔目的
本文目的提高自己文檔的寫作能力及排版能力,加強上課所講的內容得以鍛鍊也方便自己以後查閱特寫此文檔。30.2 文檔內容
本章內容包括:單向和雙向認證的概念、openssl的介紹、Nginx單向ssl的配置前提、使用openssl製作證書(單向認證與雙向認證)。30.3 單向認證與雙向認證的概念
30.3.1 什麼是單向認證
單項認證就是比如你有個密碼用戶名然後和服務器上的用戶信息進行比對一致的話你們就可以建立連接.
30.3.2 什麼是雙向認證
SSL的雙向認證就是客戶端要獲取服務端的證書,檢查下服務端是不是我可以信任的主機,否則我就認爲那個站點的內容不可信任,不應該去訪問你(瀏覽器會告訴你),同時服務端也要檢查客戶端的證書,客戶端如果不是服務端所信任的,那服務端也會認爲,你不是我的合法用戶,我拒絕給你提供服務。所以要讓 HTTPS的雙向認證順利完成,就要在服務端給定一個證書,這個證書是瀏覽器可信任的,同時客戶端(瀏覽器)也要發送給服務端一個證書,服務器端也要信任這個證書。
要想讓瀏覽器純自然地就去信任服務端的證書,那服務端所使用的證書就得是那幾大已經被大家所信任的證書機構給他簽名,不過一般要錢。
通俗點來講就是你有個密碼用戶名你先發給服務器進行比對,如果一致服務器再把它的密碼用戶名發到你機器上與你機器上保留的用戶信息進行比對如果還一致則建立鏈接!
30.4 openssl的介紹
openssl爲開源軟件,在Linux(或UNIX/Cygwin)下創建一個簡單的CA。(certification authority)是以構建在公鑰基礎設施pki(public key infrastructure)基礎之上的產生和確定數字證書的第三方可信機構)我們可以利用這個CA進行PKI、數字證書相關的測試。比如,在測試用Tomcat或Apache構建HTTPS雙向認證時,我們可以利用自己建立的測試CA來爲服務器端頒發服務器數字證書,爲客戶端(瀏覽器)生成文件形式的數字證書(可以同時利用openssl生成客戶端私鑰。
30.5 Nginx單雙向ssl的配置前提
LNMP環境的前提下
編譯安裝Nginx時候安裝的兩個參數--with-http_stub_status_module、(是爲了啓用nginx的NginxStatus 功能,用來監控nginx的當前狀態)--with-http_ssl_module(啓動ssl模塊)
安裝openssl openssl-devel
[root@LNMP ~]# /application/nginx/sbin/nginx -V
nginx version: nginx/1.6.2
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-11)(GCC)
configure arguments: --user=nginx --group=nginx--prefix=/application/nginx-1.6.2 --with-http_stub_status_module--with-http_ssl_module
30.6 使用openssl製作證書
30.6.1 服務器單項認證
30.6.1.1 創建並進入sslkey存放目錄
[root@LNMP ~]# mkdir -p /application/nginx/sslkey
[root@LNMP ~]# cd /application/nginx/sslkey/
30.6.1.2 生成RSA密鑰
[root@LNMP sslkey]# openssl genrsa -out key.pem2048
30.6.1.3 生成一個證書請求
[root@LNMP sslkey]# openssl req -new -key key.pem-out cert.csr
You are about to be asked to enter informationthat will be incorporatedThere are quite a few fields but you can leave someblank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn //輸入國家名字
State or Province Name (full name) []:bj //輸入省市
Locality Name (eg, city) [Default City]:bj //輸入省市
Organization Name (eg, company) [Default CompanyLtd]:bj //輸入公司名稱
Organizational Unit Name (eg, section) []:bj //組織名字
Common Name (eg, your name or your server'shostname) []:www.etiantian.org //要配置的ssl域名
Email Address []:[email protected] //Email地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 //密碼
An optional company name []:123456 //密碼
30.6.1.4 修改nginx的主配置文件
[root@LNMP ~]# cat/application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server{
listen 443;
server_name www.etiantian.org;
ssl on;
ssl_certificate /application/nginx/sslkey/server.crt;
ssl_certificate_key /application/nginx/sslkey/server.key;
ssl_session_timeout 5m;
ssl_protocols SSLv3 TLSv1;
ssl_ciphers HIGH:!ADH:!EXPORT56:RC4+RSA:+MEDIUM;
ssl_prefer_server_ciphers on;
location/ {
root html/blog;
index index.html index.htm;
}
}
}
[root@LNMP ~]# /application/nginx/sbin/nginx –t //檢查語法
[root@LNMP ~]# /application/nginx/sbin/nginx -sreload //重新啓動
30.6.1.5驗證結果
wKiom1ht-wDzzfqUAADeZ4TByaw255.png
wKiom1ht-wCBSptaAABFO5py01A163.png
30.6.2 服務器客戶端雙向認證
30.6.2.1 分別創建證書各自存放目錄
[root@LNMP~]# mkdir /application/nginx/ca
[root@LNMP~]# cd /application/nginx/ca
[root@LNMPca]# mkdir newcerts private conf server
newcerts子目錄將存放CA簽署(頒發)過的數字證書(證書備份目錄)。
private目錄用於存放CA的私鑰。
conf只是用於存放一些簡化參數。
Server 目錄用於存放自己的證書。
1、在conf目錄創建文件openssl.conf配置文件
[root@LNMP~]# cat /application/nginx/ca/conf/openssl.conf
[ ca ]
default_ca = foo #默認ca的段名配置好後 openssl 就會
尋找相同段名的配置
[ foo ]
dir =/application/nginx/ca #ca 的頂級目錄
database =/application/nginx/ca/index.txt #的數據庫索引文件
new_certs_dir = /application/nginx/ca/newcerts#新生成的CA目錄
certificate = /application/nginx/ca/private/ca.crt #CA證書
serial = /application/nginx/ca/serial #CA序列號文件
private_key = /application/nginx/ca/private/ca.key # CA私鑰
RANDFILE =/application/nginx/ca/private/.rand #隨機數文件
default_days = 365 # CA證書的有效期
default_crl_days= 30 #CA證書過期前多久提示
default_md = md5 # 加密方法
#unique_subject = no
policy =policy_any #客戶端默認設置
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
30.6.2.2 使用腳本創建新根CA證書
1、查看腳本內容
[root@LNMP ~]# cat/application/nginx/ca/new_ca.sh
#!/bin/sh
生成CA私鑰
openssl genrsa -out private/ca.key
生成證書請求
openssl req -new -key private/ca.key -outprivate/ca.csr
簽名 CA 證書請求,使用自己的私鑰來給這個 CA 證書請求籤名
openssl x509 -req -days 365 -in private/ca.csr-signkey private/ca.key -out private/ca.crt
以下三行與創建 CA 祕鑰數據庫索引文件有關
echo FACE > serial
touch index.txt
openssl ca -gencrl -out/application/nginx/ca/private/ca.crl -crldays 7 -config"/application/nginx/ca/conf/openssl.conf"
2、執行腳本創建根CA證書
[root@LNMP ca]# sh new_ca.sh
Generating RSA private key, 1024 bit long modulus
.......................................++++++
.++++++
e is 65537 (0x10001)
You are about to be asked to enter informationthat will be incorporated
into your certificate request.
What you are about to enter is what is called aDistinguished Name or a DN.
There are quite a few fields but you can leavesome blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:bj
Locality Name (eg, city) [Default City]:bj
Organization Name (eg, company) [Default CompanyLtd]:bj
Organizational Unit Name (eg, section) []:bj
Common Name (eg, your name or your server'shostname) []:www.etiantian.org
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123456
Signature okbr/>subject=/C=cn/ST=bj/L=bj/O=bj/OU=bj/CN=www.etiantian.org/[email protected]
Getting Private key
Using configuration from/application/nginx/ca/conf/openssl.conf
3、查看生成的CA證書並保證裏邊有內容
30.6.2.3 使用腳本生成服務器證書
1、查看腳本內容
[root@LNMP ~]# cd /application/nginx/ca/
[root@LNMP ca]# cat new_server.sh
Create us a key. Don't bother putting apassword on it since you will need it to start apache. If you have a betterwork around I'd love to hear it.
創建服務器私鑰
openssl genrsa -out server/server.key
利用私鑰創建一個證書籤名請求
openssl req -new -key server/server.key -outserver/server.csr
openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"
2、執行腳本創建生成服務器證書
[root@LNMP ca]#sh new_server.sh
Generating RSAprivate key, 1024 bit long modulus
.....................++++++
...........................................................++++++
e is 65537(0x10001)
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you areabout to enter is what is called a Distinguished Name or a DN.
There are quitea few fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter'.', the field will be left blank.
Country Name (2letter code) [XX]:cn
State orProvince Name (full name) []:bj
Locality Name(eg, city) [Default City]:bj
OrganizationName (eg, company) [Default Company Ltd]:bj
OrganizationalUnit Name (eg, section) []:bj
Common Name (eg,your name or your server's hostname) []:www.etiantian.org
Email Address[]:[email protected]
Please enter thefollowing 'extra' attributes
to be sent withyour certificate request
A challengepassword []:123456
An optionalcompany name []:123456
Using configurationfrom /application/nginx/ca/conf/openssl.conf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'cn'
stateOrProvinceName :ASN.1 12:'bj'
localityName :ASN.1 12:'bj'
organizationName :ASN.1 12:'bj'
organizationalUnitName:ASN.112:'bj'
commonName :ASN.1 12:'www.etiantian.org'
emailAddress :IA5STRING:'[email protected]'
Certificate isto be certified until Mar 5 10:14:252016 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write outdatabase with 1 new entries
3、查看生成的服務器證書裏邊有內容否則後邊會報錯
30.6.2.4 配置Nginx的主配置文件
[root@LNMP ~]#cat /application/nginx/conf/nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
HTTPSserver
server {
listen 443;
root html/blog;
index index.phpindex.html index.htm;
server_name www.etiantian.org;
ssi on;
ssi_silent_errorson;
ssi_typestext/shtml;
ssl on;
ssl_certificate /application/nginx/ca/server/server.crt;
ssl_certificate_key /application/nginx/ca/server/server.key;
ssl_client_certificate/application/nginx/ca/private/ca.crt;
ssl_session_timeout 5m;
ssl_verify_clienton;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphersALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html/blog;
index index.php index.html index.htm;
}
}
}
[root@LNMP ~]#/application/nginx/sbin/nginx –t //檢查語法
[root@LNMP ~]#/application/nginx/sbin/nginx -s reload //重新啓動
30.6.2.5 驗證結果
wKiom1huA63h-eXXAABp00EvXU4594.png
30.6.2.6 訪問出現400 Bad Reques解決辦法生成客戶端證書
1、查看腳本內容
[root@LNMP ~]#cat /application/nginx/ca/new_user.sh
#!/bin/sh
base="/application//nginx/ca"
mkdir -p$base/users/
生成客戶端私鑰
openssl genrsa-des3 -out $base/users/client.key 1024
根據證書生成私鑰請求
openssl req -new-key $base/users/client.key -out $base/users/client.csr
生成客戶端證書
openssl ca -in$base/users/client.csr -cert $base/private/ca.crt -keyfile $base/private/ca.key-out $base/users/client.crt -config "/application/nginx/ca/conf/openssl.conf"
將客戶端證書轉爲PKCS(Personal Information Exchange)12 後綴,使大多數瀏覽器都能接
openssl pkcs12-export -clcerts -in $base/users/client.crt -inkey $base/users/client.key -out$base/users/client.p12
2、執行腳本生成客戶端證書
[root@LNMP ca]#sh new_user.sh
Generating RSAprivate key, 1024 bit long modulus
....++++++
...................................................++++++
e is 65537(0x10001)
Enter passphrase for /application//nginx/ca/users/client.key:
Verifying -Enter pass phrase for /application//nginx/ca/users/client.key:
Enter pass phrasefor /application//nginx/ca/users/client.key:
You are about tobe asked to enter information that will be incorporated
into yourcertificate request.
What you areabout to enter is what is called a Distinguished Name or a DN.
There are quitea few fields but you can leave some blank
For some fieldsthere will be a default value,
If you enter'.', the field will be left blank.
Country Name (2letter code) [XX]:cn
State orProvince Name (full name) []:bj
Locality Name(eg, city) [Default City]:bj
OrganizationName (eg, company) [Default Company Ltd]:bj
OrganizationalUnit Name (eg, section) []:bj
Common Name (eg,your name or your server's hostname) []:www.etiantian.org
Email Address[]:[email protected]
Please enter thefollowing 'extra' attributes
to be sent withyour certificate request
A challengepassword []:123456
An optionalcompany name []:123456
Usingconfiguration from /application/nginx/ca/conf/openssl.conf
Check that therequest matches the signature
Signature ok
The Subject'sDistinguished Name is as follows
countryName :PRINTABLE:'cn'
stateOrProvinceName :ASN.1 12:'bj'
localityName :ASN.1 12:'bj'
organizationName :ASN.1 12:'bj'
organizationalUnitName:ASN.112:'bj'
commonName :ASN.1 12:'www.etiantian.org'
emailAddress :IA5STRING:'[email protected]'
Certificate isto be certified until Mar 5 10:24:172016 GMT (365 days)
Sign thecertificate? [y/n]:y
1 out of 1certificate requests certified, commit? [y/n]y
Write outdatabase with 1 new entries
Data BaseUpdated
Enter passphrase for /application//nginx/ca/users/client.key:
Enter ExportPassword:
Verifying -Enter Export Password:
3、查看生成的證書
將client.p12下載到本地桌面
[root@LNMP ~]#cd /application/nginx-1.6.2/ca/users/
[root@LNMPusers]# sz -y client.p12
30.6.2.7 再次驗證結果
在瀏覽器中輸入https://www.etiantian.org訪問添加剛纔下載下來的證書就可以正常訪問了!
wKiom1huAzzirDOjAABv48gdUB4144.png
在這裏是將你剛纔從服務器上下載下來的client.p12導入就OK了!
wKioL1huAzzw4VqvAABtkL24bRY788.png
wKiom1huA0DDDcjOAABcsvxn0LM352.png
wKiom1huA0Di8jKbAABVRRB2xMM800.png
wKioL1huA0DTesTFAABVyBPtHxs566.png
30.6.2.8 做Nginx-SSL注意事項
1、製作證書時會提示輸入密碼,服務器證書和客戶端證書密碼可以不相同。
2、服務器證書和客戶端證書製作時提示輸入省份、城市、域名信息等,需保持一致。
3、Nginx默認未開啓SSI,上面配置已開啓。
說明:本內容來自老男孩教育(www.oldboyedu.com)王同學的筆記!