站長資訊網(wǎng)
        最全最豐富的資訊網(wǎng)站

        生成Nginx服務(wù)器SSL證書和客戶端證書

        Nginx服務(wù)器SSL證書
        生成pass key

        下面的命令用于生成一個2048bit的pass key, -passout pass:111111 用于避免交互式輸入密碼

        [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048
        Generating RSA private key, 2048 bit long modulus
        ………..+++
        …………………+++
        e is 65537 (0x10001)

        生成key

        下面的命令用于生成私鑰, -passin pass:111111是和pass key的密碼對應(yīng)的, 用于避免交互式輸入密碼

        [tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -in server.pass.key -out server.key
        writing RSA key

        生成證書簽發(fā)請求文件(CSR)

        下面的命令用于生成csr文件, 這里需要填寫機構(gòu)相關(guān)信息. 其中CN務(wù)必填寫為對應(yīng)的服務(wù)器域名. 最后那個challenge password, 是這個csr的password

        [tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter ‘.’, the field will be left blank.
        —–
        Country Name (2 letter code) [XX]:CN
        State or Province Name (full name) []:Beijing
        Locality Name (eg, city) [Default City]:Chaoyang
        Organization Name (eg, company) [Default Company Ltd]:HenSomeone
        Organizational Unit Name (eg, section) []:iSomeone   
        Common Name (eg, your name or your server’s hostname) []:internal.someone.com
        Email Address []:
         
        Please enter the following ‘extra’ attributes
        to be sent with your certificate request
        A challenge password []:222222
        An optional company name []:

        發(fā)送CSR文件給CA服務(wù)商簽發(fā)證書

        如果是購買的CA服務(wù)商的SSL證書服務(wù), 這一步把CSR發(fā)給服務(wù)商就可以了. 收到證書后將內(nèi)容寫入到 server.pem 文件

        在Nginx上這樣配置

        server {
            listen      443;
            server_name  www.example.com;
         
            ssl                  on;
            ssl_certificate      /path/to/ssl/server.pem;
            ssl_certificate_key  /path/to/ssl/server.key;
            ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
            ssl_session_cache shared:ssl_www_example_com:5m;
            ssl_session_timeout  5m;
            ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
            #…
            location / {
                #…
            }
            #…
        }

        制作自簽名證書

        如果是打算制作自簽名證書, 則進行如下的操作生成pem證書

        [tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -in server.csr -signkey server.key -out server.pem
        Signature ok
        subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=iSomeone/CN=internal.someone.com
        Getting Private key

        Nginx客戶端驗證證書
        Nginx客戶端驗證證書和服務(wù)端SSL證書其實是沒關(guān)系的, 你可以一邊使用CA簽發(fā)的證書, 一邊使用自己制作的客戶端驗證證書.

        生成服務(wù)器端私鑰

        [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048
        Generating RSA private key, 2048 bit long modulus
        …………………………………………………………………………………………………+++
        ……………………………..+++
        e is 65537 (0x10001)
         
        [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in ca.pass.key -out ca.key
        writing RSA key

        生成服務(wù)器端證書

        下面的命令會生成服務(wù)器證書ca.pem, 用于配制到nginx.

        [tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter ‘.’, the field will be left blank.
        —–
        Country Name (2 letter code) [XX]:CN
        State or Province Name (full name) []:Beijing
        Locality Name (eg, city) [Default City]:Chaoyang
        Organization Name (eg, company) [Default Company Ltd]:HenSomeone
        Organizational Unit Name (eg, section) []:iSomeone
        Common Name (eg, your name or your server’s hostname) []:internal.someone.com
        Email Address []:

        生成客戶端私鑰

        [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
        Generating RSA private key, 2048 bit long modulus
        ……………………..+++
        …..+++
        e is 65537 (0x10001)
         
        [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
        writing RSA key

        生成客戶端證書簽發(fā)請求CSR

        [tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
        You are about to be asked to enter information that will be incorporated
        into your certificate request.
        What you are about to enter is what is called a Distinguished Name or a DN.
        There are quite a few fields but you can leave some blank
        For some fields there will be a default value,
        If you enter ‘.’, the field will be left blank.
        —–
        Country Name (2 letter code) [XX]:CN
        State or Province Name (full name) []:Beijing
        Locality Name (eg, city) [Default City]:Chaoyang
        Organization Name (eg, company) [Default Company Ltd]:HenSomeone
        Organizational Unit Name (eg, section) []:Staff
        Common Name (eg, your name or your server’s hostname) []:Staff
        Email Address []:
         
        Please enter the following ‘extra’ attributes
        to be sent with your certificate request
        A challenge password []:201907
        An optional company name []:

        簽發(fā)客戶端證書

        下面的命令, 用服務(wù)端的私鑰和服務(wù)端的證書, 對客戶端的CSR進行簽發(fā), 生成服務(wù)端證書. 這里有一個 -set_serial 01 的參數(shù), 如果簽發(fā)多個客戶端證書, 這個數(shù)字不能重復

        [tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
        Signature ok
        subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
        Getting CA Private Key

        客戶端證書格式轉(zhuǎn)換

        前面生成的證書, 不能直接用于常見的應(yīng)用, 需要轉(zhuǎn)換成應(yīng)用需要的格式

        Full PEM:

        [tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem

        PFX – 這里輸入的export password, 就是應(yīng)用導入PFX證書時需要輸入的密碼.

        [tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
        Enter Export Password:
        Verifying – Enter Export Password:

        配置Nginx的客戶端驗證證書

        ssl_client_certificate /path/to/ca.pem;
        ssl_verify_client optional; # or `on` if you require client key

        贊(0)
        分享到: 更多 (0)
        網(wǎng)站地圖   滬ICP備18035694號-2    滬公網(wǎng)安備31011702889846號
        主站蜘蛛池模板: 亚洲AV无码成人网站久久精品大| 国产精品99精品久久免费| 国产农村妇女毛片精品久久| 亚洲精品国产精品乱码视色| 欧美日韩国产精品系列| 国产乱人伦偷精品视频| 日本精品卡一卡2卡3卡四卡| 欧美日韩专区麻豆精品在线 | 九九精品在线观看| 四虎国产精品永久免费网址| 97国产视频精品| 国产成人精品久久二区二区| 91午夜精品亚洲一区二区三区| 1区1区3区4区产品芒果精品| 久久99精品久久久久久噜噜| 久久久久99精品成人片欧美| 久久免费的精品国产V∧| 久久精品国产一区二区三区| 久久国产精品99精品国产987| 国产精品亚洲精品日韩已方| 国产成人精品怡红院在线观看| 99国产精品私拍pans大尺度| 久久久久成人精品无码| 中文字幕久久精品| 精品亚洲成α人无码成α在线观看| 无码精品视频一区二区三区| 久久精品国产亚洲7777| 亚洲一区无码精品色| 久久久久国产成人精品亚洲午夜 | 亚洲精品WWW久久久久久| 国产精品玖玖美女张开腿让男人桶爽免费看 | 香蕉国产精品麻豆亚洲欧美日韩精品自拍欧美v国 | 色综合久久精品中文字幕首页| 欧美激情视频精品一区二区| 国产在线国偷精品免费看| 国产精品99爱免费视频| 99久久精品国产毛片| 性色精品视频网站在线观看| 中文字幕精品一区影音先锋| 精品亚洲永久免费精品| 亚洲国产精品久久|