一、實現http的雙向認證
①使用OpenSSL生成CA證書
# cd /etc/pki/CA
# openssl genrsa -out private/my-ca.key
# openssl req -new -key private/my-ca.key -out private/my-ca.csr
:生成證書請求文件
# openssl req -new -x509 -key /etc/pki/CA/private/my-ca.key -days 365 > my-ca.crt
# touch index.txt :創建CA鍵庫
# openssl ca -gencrl -out /etc/pki/CA/private/ca.crl -crldays 7 -config "/etc/pki/tls/openssl.conf" :爲移除客戶端證書創建一個證書撤銷列表
②步驟三: 生成客戶端證書
# cd /etc/pki/CA
# mkdir users
# openssl genrsa -des3 -out /etc/pki/CA/users/client.key 1024 :爲客戶端創建一個key
# openssl req -new -key /etc/pki/CA/users/client.key -out /etc/pki/CA/users/client.csr
:用CA Key爲剛纔的客戶端key簽名
# openssl ca -in /etc/pki/CA/users/client.csr -cert /etc/pki/CA/private/my-ca.crt -keyfile /etc/pki/CA/private/my-ca.key -out /etc/pki/CA/users/client.crt -config "/etc/pki/tls/openssl.cnf"
:將證書轉換爲大多數瀏覽器都能識別的PKCS12文件
# cd users
# ls
3、修改配置文件
# vim /etc/httpd/conf.d/ssl.conf
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/www.crt
SSLCertificateKeyFile /etc/pki/tls/private/www.key
SSLCACertificateFile /etc/pki/CA/private/my-ca.crt
SSLVerifyClient require
SSLVerifyDepth 10
4、安裝客戶端證書
# scp /etc/pki/CA/users/client.p12 192.168.2.10@/root/
在firefox瀏覽器中導入下載的客戶端證書
雲主機實現:https://help.aliyun.com/document_detail/54508.html