Nginx-ssl双向认证

2022-12-15 middleware all, nginx 评论

Nginx-ssl双向认证

脚本-生成ca/server/client证书

#!/bin/sh

DOMAIN="biglovewheat.cn"
IP="192.168.0.23"


WORK_DIR=./temp
rm -rf $WORK_DIR
mkdir ./temp
rm -rf $DOMAIN

## CA
openssl genrsa -out $WORK_DIR/ca.key 4096
 
openssl req -x509 -new -nodes -sha512 -days 3650 \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
  -key $WORK_DIR/ca.key \
  -out $WORK_DIR/ca.crt

## server
openssl genrsa -out $WORK_DIR/server.key 4096
 
openssl req -sha512 -new \
  -subj "/C=CN/ST=Beijing/L=Beijing/O=example/OU=Personal/CN=$DOMAIN" \
  -key $WORK_DIR/server.key \
  -out $WORK_DIR/server.csr

cat > $WORK_DIR/server.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=$DOMAIN
DNS.2=*.$DOMAIN
IP.1=$IP
EOF
  
## server visa
openssl x509 -req -sha512 -days 3650 \
  -extfile $WORK_DIR/server.ext \
  -CA $WORK_DIR/ca.crt -CAkey $WORK_DIR/ca.key -CAcreateserial \
  -in $WORK_DIR/server.csr \
  -out $WORK_DIR/server.crt


## client
openssl genrsa -out $WORK_DIR/client-ca.key 2048
openssl req -x509 -new -nodes -key $WORK_DIR/client-ca.key -subj "/CN=ca.client" -days 3650 -out $WORK_DIR/client-ca.crt
openssl genrsa -out $WORK_DIR/client.key 2048
openssl req -new -key $WORK_DIR/client.key -subj "/CN=client" -out $WORK_DIR/client.csr

cat > $WORK_DIR/client.ext << EOF
extendedKeyUsage=clientAuth
EOF

openssl x509 -req -in $WORK_DIR/client.csr -CA $WORK_DIR/client-ca.crt -CAkey $WORK_DIR/client-ca.key -CAcreateserial \
 -extfile $WORK_DIR/client.ext -out $WORK_DIR/client.crt -days 3650
 
 
## output 
mkdir -p ./$DOMAIN
cp $WORK_DIR/*.crt  $WORK_DIR/*.key ./$DOMAIN

## convert to pfx
openssl pkcs12 -export -inkey ./$DOMAIN/client.key -in ./$DOMAIN/client.crt -out ./$DOMAIN/client.pfx

nginx 配置

server {
    listen     80;
    listen       443 ssl;

    ssl_certificate      /data/openssl-test/biglovewheat.cn/server.crt;
    ssl_certificate_key  /data/openssl-test/biglovewheat.cn/server.key;

    ssl_client_certificate /data/openssl-test/biglovewheat.cn/client-ca.crt;
    ssl_verify_client on;

    ssl_verify_depth 3;

    ssl_session_timeout 5m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
    ssl_prefer_server_ciphers on;

    location / {
            root  /data/webapp/www;
    if (!-e $request_filename){
        rewrite ^(.*)$ /$1.html last;
        break;
    }
#        try_files $uri $uri/ /index.html;
        index index.html;
        }
}

效果

不带clinet证书，报400-No required SSL certificate was sent

带client证书和key，正常访问

[root@hw-gz-1 biglovewheat.cn]# curl  https://www.biglovewheat.cn -k 
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.20.1</center>
</body>
</html>
[root@hw-gz-1 biglovewheat.cn]# curl --cert ./client.crt --key ./client.key https://www.biglovewheat.cn -k 
www

windows浏览器访问

导出pfx格式，可加密码，双击安装后，重启浏览器即可

1 2	## 脚本最后一步，转成pfx格式 openssl pkcs12 -export -inkey ./$DOMAIN/client.key -in ./$DOMAIN/client.crt -out ./$DOMAIN/client.pfx

本文链接： https://biglovewheat.gihub.io/2022/12/15/nginx-ssl双向认证/

版权声明： 本博客所有文章除特别声明外，均采用 CC BY 4.0 CN协议许可协议。转载请注明出处！

biglovewheat老年佛系运维

老年佛系运维 | biglovewheat@126.com