某10

NGINX SSL双向认证:给客户端下发证书

某10 • 2017-11-02 • 后端, 网站开发

让NGINX对客户端的数字证书进行验证

生成CA私钥

openssl genrsa -out CA.key 2048

生成CA根证书(公钥)

openssl req -new -x509 -days 3650 -key CA.key -out CA.crt

生成客户端私钥

openssl genrsa -out client.pem 1024
openssl rsa -in client.pem -out client.key

创建签发请求

openssl req -new -key client.pem -out client.csr

使用CA签发证书

openssl x509 -req -sha256 -in client.csr -CA CA.crt -CAkey CA.key -CAcreateserial -days 3650 -out client.crt

导出浏览器可以识别的P12格式

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

复制出client.p12文件,这个文件是客户端的数字证书.
NGINX配置
在原来配置过ssl证书的基础上添加

ssl_client_certificate /path/to/CA.crt; # CA根证书的位置
ssl_verify_client on;# 启用验证客户端

完整配置例子

server {
    server_name google.com;

    # Enable HTTP/2.0
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    # SSL Config 
    ssl_certificate /path/to/certificate.cer;
    ssl_certificate_key /path/to/google.com.key;
    ssl_client_certificate /path/to/CA.crt;
    ssl_verify_client on;
    ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5;
    ssl_prefer_server_ciphers  on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    location / {
        proxy_pass http://loaclhost:80;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

EOF