NGINX 配置 SSL 双向认证 1.1. 生成一个 CA 私钥: ca.key openssl genrsa -out ca.key 4096 1.2. 生成一个 CA 的数字证书: ca.crt(Common Name 随意填写;其它可以填”.”) openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config D:/software/nginx-1.15.8/conf/ssl/openssl.cnf 2.1. 生成 server 端的私钥: server.key openssl genrsa -out server.key 4096 2.2. 生成 server 端数字证书请求: server.csr(Common Name填写访问服务器时域名,配置nginx时用到,不能与CA的相同 其它填写”.”) openssl req -new -key server.key -out server.csr -config D:/software/nginx-1.15.8/conf/ssl/openssl.cnf 2.3. 用 CA 私钥签发 server 的数字证书: server.crt openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 3.1. 生成客户端的私钥与证书: client.key openssl genrsa -out client.key 4096 3.2. 生成 client 端数字证书请求: client.csr(Common Name填写访问服务器时域名,配置nginx时用到,不能与CA的相同 其它填写”.”) openssl req -new -key client.key -out client.csr -config D:/software/nginx-1.15.8/conf/ssl/openssl.cnf 3.3. 用 CA 私钥签发 client 的数字证书: client.crt openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 3.4. 生成p12格式客户端证书 openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12 相关nginx配置
server {
listen 443 ssl;
server_name xuxiaobo.com;
ssl on;
ssl_certificate ssl/server.crt; #服务器公钥地址
ssl_certificate_key ssl/server.key; #服务器私钥地址
ssl_client_certificate ssl/ca.crt; #CA公钥地址 验证客户端证书是否是同一CA签发
ssl_verify_client on; #双向认证
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #按照这个套件配置
ssl_prefer_server_ciphers on;
root D:/workspace/wwwroot80;
location / {
index index.php index.html index.htm;
autoindex on;
autoindex_exact_size off;
autoindex_localtime on;
if (!-e $request_filename){
rewrite ^/(.*) /index.php last;
}
}
location ~ \.php$ {
fastcgi_pass 127.0.0.1:9001;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
标签:crt,ssl,openssl,认证,NGINX,client,key,SSL,server From: https://www.cnblogs.com/xuxiaobo/p/17026718.html