生成Nginx服务器SSL证书和客户端证书
转自:https://www.cnblogs.com/milton/p/11078685.html
生成pass key
下面的命令用于生成一个2048bit的pass key, -passout pass:111111 用于避免交互式输入密码
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048``Generating RSA private key, 2048 bit long modulus``...........+++``.....................+++``e is 65537 (0x10001)生成key
下面的命令用于生成私钥, -passin pass:111111是和pass key的密码对应的, 用于避免交互式输入密码
[tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -``in` `server.pass.key -out server.key``writing RSA key生成证书签发请求文件(CSR)
下面的命令用于生成csr文件, 这里需要填写机构相关信息. 其中CN务必填写为对应的服务器域名. 最后那个challenge password, 是这个csr的password
[tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr``You are about to be asked to enter information that will be incorporated``into your certificate request.``What you are about to enter is what is called a Distinguished Name or a DN.``There are quite a few fields but you can leave some blank``For some fields there will be a default value,``If you enter ``'.'``, the field will be left blank.``-----``Country Name (2 letter code) [XX]:CN``State or Province Name (full name) []:Beijing``Locality Name (eg, city) [Default City]:Chaoyang``Organization Name (eg, company) [Default Company Ltd]:HenSomeone``Organizational Unit Name (eg, section) []:iSomeone ``Common Name (eg, your name or your server's ``hostname``) []:internal.someone.com``Email Address []:` `Please enter the following ``'extra'` `attributes``to be sent with your certificate request``A challenge password []:222222``An optional company name []:发送CSR文件给CA服务商签发证书
如果是购买的CA服务商的SSL证书服务, 这一步把CSR发给服务商就可以了. 收到证书后将内容写入到 server.pem 文件
在Nginx上这样配置
server {`` ``listen 443;`` ``server_name www.example.com;` ` ``ssl on;`` ``ssl_certificate ``/path/to/ssl/server``.pem;`` ``ssl_certificate_key ``/path/to/ssl/server``.key;`` ``ssl_protocols TLSv1.2 TLSv1.1 TLSv1;`` ``ssl_session_cache shared:ssl_www_example_com:5m;`` ``ssl_session_timeout 5m;`` ``ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;`` ``#...`` ``location / {`` ``#...`` ``}`` ``#...``}制作自签名证书
如果是打算制作自签名证书, 则进行如下的操作生成pem证书
[tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -``in` `server.csr -signkey server.key -out server.pem``Signature ok``subject=``/C``=CN``/ST``=Beijing``/L``=Chaoyang``/O``=HenSomeone``/OU``=iSomeone``/CN``=internal.someone.com``Getting Private keyNginx客户端验证证书
Nginx客户端验证证书和服务端SSL证书其实是没关系的, 你可以一边使用CA签发的证书, 一边使用自己制作的客户端验证证书.
*生成服务器端私钥*
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048``Generating RSA private key, 2048 bit long modulus``...............................................................................................................+++``...................................+++``e is 65537 (0x10001)` `[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -``in` `ca.pass.key -out ca.key``writing RSA key生成服务器端证书
下面的命令会生成服务器证书ca.pem, 用于配制到nginx.
[tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem``You are about to be asked to enter information that will be incorporated``into your certificate request.``What you are about to enter is what is called a Distinguished Name or a DN.``There are quite a few fields but you can leave some blank``For some fields there will be a default value,``If you enter ``'.'``, the field will be left blank.``-----``Country Name (2 letter code) [XX]:CN``State or Province Name (full name) []:Beijing``Locality Name (eg, city) [Default City]:Chaoyang``Organization Name (eg, company) [Default Company Ltd]:HenSomeone``Organizational Unit Name (eg, section) []:iSomeone``Common Name (eg, your name or your server's ``hostname``) []:internal.someone.com``Email Address []:生成客户端私钥
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048``Generating RSA private key, 2048 bit long modulus``..........................+++``.....+++``e is 65537 (0x10001)` `[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -``in` `client_01.pass.key -out client_01.key``writing RSA key生成客户端证书签发请求CSR
[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr``You are about to be asked to enter information that will be incorporated``into your certificate request.``What you are about to enter is what is called a Distinguished Name or a DN.``There are quite a few fields but you can leave some blank``For some fields there will be a default value,``If you enter ``'.'``, the field will be left blank.``-----``Country Name (2 letter code) [XX]:CN``State or Province Name (full name) []:Beijing``Locality Name (eg, city) [Default City]:Chaoyang``Organization Name (eg, company) [Default Company Ltd]:HenSomeone``Organizational Unit Name (eg, section) []:Staff``Common Name (eg, your name or your server's ``hostname``) []:Staff``Email Address []:` `Please enter the following ``'extra'` `attributes``to be sent with your certificate request``A challenge password []:201907``An optional company name []:签发客户端证书
下面的命令, 用服务端的私钥和服务端的证书, 对客户端的CSR进行签发, 生成服务端证书. 这里有一个 -set_serial 01 的参数, 如果签发多个客户端证书, 这个数字不能重复
[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -``in` `client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem``Signature ok``subject=``/C``=CN``/ST``=Beijing``/L``=Chaoyang``/O``=HenSomeone``/OU``=Staff``/CN``=Staff``Getting CA Private Key客户端证书格式转换
前面生成的证书, 不能直接用于常见的应用, 需要转换成应用需要的格式
Full PEM:
[tomcat@a02 tmp]$ ``cat` `client_01.key client_01.pem ca.pem > client_01.full.pemPFX – 这里输入的export password, 就是应用导入PFX证书时需要输入的密码.
[tomcat@a02 tmp]$ openssl pkcs12 -``export` `-out client_01.full.pfx -inkey client_01.key -``in` `client_01.pem -certfile ca.pem``Enter Export Password:``Verifying - Enter Export Password:配置Nginx的客户端验证证书
ssl_client_certificate ``/path/to/ca``.pem;``ssl_verify_client optional; ``# or `on` if you require client key