目录
1. 编译安装GmSSL
系统:Centos7.9 安装依赖库
# yum list pcre 查看已安装和可升级版本
# yum install -y man-pages man-pages-overrides
# yum install -y autoconf automake gcc gcc-c++ wget zip unzip
# yum install -y pcre pcre-devel zlib zlib-devel perl perl-devel
https://github.com/guanzhi/GmSSL 下载 GmSSL-master.zip
#unzip GmSSL-master.zip
#cd GmSSL-master
#./config -d -v berbose级别日志 -d debug级别日志
#make
#make install
#ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
#ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
#ln -s /usr/local/include/openssl /usr/include/openssl
#gmssl version
GmSSL 2.5.4 - OpenSSL 1.1.0d 19 Jun 2019
/usr/local/ssl/openssl.cnf 存在[v3_ca] [v3_req],需要新增
[ v3enc_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = keyAgreement, keyEncipherment, dataEncipherment
2. GmSSL创建国密签名证书和加密证书
-set_serial 1000000001 证书的序列号指定为 1000000001(=0x3b9aca01)
-CAcreateserial 证书的序列号自动生成
1. 生成CA证书
#openssl ecparam -genkey -name sm2p256v1 -noout -out gm_root.key
// 不带-noout, 可以使用openssl ecparam -in gm_root.key -text查看信息
// 不带-noout, openssl ecparam -in gm_root.key -check 验证参数
#openssl req -new -key gm_root.key -out gm_root.req
-subj "/C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS/OU=Sys Soft Dept/CN=Root"
#openssl x509 -req -days 3650 -sm3 -in gm_root.req -extfile /usr/local/ssl/openssl.cnf
-extensions v3_ca -signkey gm_root.key -out gm_root.crt
[root@localhost certs]# cat gm_root.key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIPOW1kTgYxtZAVfM1wutQpFwUyGiwrmOmpE23ASNrKpboAoGCCqBHM9V
AYItoUQDQgAEe0c6WtUCk1+jAEOwMtpDhahbMZ0pTE9itTtx+wciFBtY9Py3RsfN
PlUTjWgb09RPvPN+2P16BtFkkRhw0K0dIg==
-----END EC PRIVATE KEY-----
[root@localhost certs]# cat gm_root.req
-----BEGIN CERTIFICATE REQUEST-----
MIIBDTCBtQIBADBTMQswCQYDVQQGEwJDTjERMA8GA1UECAwIR3VhbkRvbmcxETAP
BgNVBAcMCFNoZW5aaGVuMQ8wDQYDVQQKDAZORVdQT1MxDTALBgNVBAMvb3Qw
WTATBgcqhkjOPQIBBggqgRzPVQGCLQNCAAR7Rzpa1QKTX6MAQ7Ay2kOFqFsxnSlM
T2K1O3H7ByIUG1j0/LdGx80+VRONaBvT1E+8837Y/XoG0WSRGHDQrR0ioAAwCgYI
KoEcz1UBg3UDRwAwRAIgfuXn+O8JMkWSlZpItpeOPgdhKwdy8zRiK/Q+8KT/QvUC
IGaWNiYrtFdI+A+acGPQ2FdN4/i85hlDyAeXO8vHCDAq
-----END CERTIFICATE REQUEST-----
[root@localhost certs]# cat gm_root.crt
-----BEGIN CERTIFICATE-----
MIIB7zCCAZagAwIBAgIJAMN6EeNMRT/VMAoGCCqBHM9VAYN1MFMxCzAJBgNVBAYT
AkNOMREwDwYDVQQIDAhHdWFuRG9uZzERMA8GA1UwwIU2hlblpoZW4xDzANBgNV
BAoMBk5FV1BPUzENMAsGA1UEAwwEcm9vdDAeFw0yMjAzMjkwMjMyMDdaFw0zMjAz
MjYwMjMyMDdaMFMxCzAJBgNVBAYTAkNOMREwDwYDVQQIDAhHdWFuRG9uZzEA8G
A1UEBwwIU2hlblpoZW4xDzANBgNVBAoMBk5FV1BPUzENMAsGA1UEAwwEcm9vdDBZ
MBMGByqGSM49AgEGCCqBHM9VAYItA0IABHtHOlrVApNfowBDsDLaQ4WoWzGdKUxP
YrU7cfsHIhQbWPT8t0bHzT5VE41oG9PUT7zzftj9egbRZJEYcNCtHSKjUzBRMB0G
A1UdDgQWBBTgGDkb8aIS/CS+mS1xJQlHKIOYMDAfBgNVHSMEGDAWgBTgGDkb8aIS
/CS+mS1xJQlHKIOYMDAPBgNVHRMBAf8EBTADAQH/MAoGqBHM9VAYN1A0cAMEQC
IHcFq9ehIr5B1zgpYfb9QYuFGvSoXaBHwtFr41LtWmS9AiBz0FgQScdU3cfe9TnT
LMDwqqqbFFO8U4YYB4jXA6rv9g==
-----END CERTIFICATE-----
转换为pkcs#8格式
#openssl pkcs8 -topk8 -inform PEM -in gm_root.key -outform pem
-out gm_root.pem -nocrypt
// 查看私钥信息 openssl ec -in gm_root.pem [-text]
[root@localhost certs]# cat gm_root.pem
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqBHM9VAYItBG0wAQQg85bWROBjG1kBV8zX
C61CkXBTIaLCuY6akTbcBI2sqluhRANCAAR7Rzpa1QKTX6MAQ7Ay2kOFqFsxnSlM
T2K1O3H7ByIUG1j0/LdGx80+VRONaBvT1E+8837Y/XoG0WSRGHDQrR0i
-----END PRIVATE KEY-----
通过私钥获取公钥
#openssl ec -pubout -in gm_root.key -out gm_root_public.pem
// 显示公钥信息 openssl ec -in gm_root_public.pem -pubin [-text]
[root@localhost certs]# cat gm_root_public.pem
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoEcz1UBgi0DQgAEe0c6WtUCk1+jAEOwMtpDhahbMZ0p
TE9itTtx+wciFBtY9Py3RsfNPlUTjWgb09RPvPN+2P16BtFkkRhw0K0dIg==
-----END PUBLIC KEY-----
生成pfx文件
#openssl pkcs12 -export -name CA-ROOT -in gm_root.crt
-inkey gm_root.key -out gm_root.pfx
2. Server签名证书
#openssl ecparam -genkey -name sm2p256v1 -noout -out gm_server_sg.key
#openssl req -new -SM3 -key gm_server_sg.key -out gm_server_sg.csr
-subj "/C=CN/ST=GD/L=ShenZhen/O=NEWPOS/OU=SysSoft Dept/CN=192.168.218.141"
*** 主机IP: 192.168.218.141 ******
#openssl x509 -req -SM3 -days 3650 -in gm_server_sg.csr -extfile /usr/local/ssl/openssl.cnf
-extensions v3_req -CA gm_root.crt -CAkey gm_root.key
-set_serial 1000000001 -out gm_server_sg.crt
[root@localhost certs]# cat gm_server_sg.key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIINiWDAR3IHndKIeWLlsoSUPmU9LE0rLttvHkwun5vFkoAoGCCqBHM9V
AYItoUQDQgAEEwW7JqADqS0rKBySAKPCvwBjNXvLMo0LPgqXoH9T5Ln6y/GBYiAh
2JFbuPfqGu20wXc/mtfs7BNzogDrHdJIeA==
-----END EC PRIVATE KEY-----
[root@localhost certs]# cat gm_server_sg.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBGTCBwAIBADBeMQswCQYDVQwJDTjERMA8GA1UECAwIR3VhbkRvbmcxETAP
BgNVBAcMCFNoZW5aaGVuMQ8wDQKDAZORVdQT1MxGDAWBgNVBAMMDzE5Mi4x
NjguMjE4LjE0MTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABBMFuyagA6ktKygc
kgCjwr8AYzV7yzKNCz4Kl6B/U+S5+svxgWIgIdiRW7j36hrttMF3P5rX7OwTc6IA
6x3SSHigADAKBggqgRzPVQGDdQNIADBFAiAgAXscStzZAfNsdIRUt89PyBr/s5dA
XO8TRqWm//XaDgIhAIXoK1rTfQ7+li99PxZMxnKmWt/unjRbE5LFxsHPiZ7S
-----END CERTIFICATE REQUEST-----
[root@localhost certs]# cat gm_server_sg.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWOgAwIBAgIEO5rKATAKBggqgRzPVQGDdTBTMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIR3VhbkRvbmcxETAPBgNVMCFNoZW5aaGVuMQ8wDQYDVQQKDAZO
RVdQT1MxDTALBgNVBAMMBHJvb3QwHhcNMjIwMzI5MDIzMjM0WhcNMzIwMzI2MDIz
MjM0WjBeMQswCQYDVQQGEwJDTjERMA1UECAwIR3VhbkRvbmcxETAPBgNVBAcM
CFNoZW5aaGVuMQ8wDQYDVQQKDAZORT1MxGDAWBgNVBAMMDzE5Mi4xNjguMjE4
LjE0MTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABBMFuyagA6ktKygckgCjwr8A
YzV7yzKNCz4Kl6B/U+S5+svxgWIgIdiRW7j36hrttMF3P5rX7OwTc6IA6x3SSHij
GjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgXoGCCqBHM9VAYN1A0kAMEYCIQCg
MtUHIrkEkugiKdfHsWRUXSwXqcDhL5u3zQXGDGd2twIhAPuFBWDBnXz2oO2CJYMU
DMGZtd1FQ8luz9ZdlHpexiVr
-----END CERTIFICATE-----
3. Server加密证书
#openssl ecparam -genkey -name sm2p256v1 -noout -out gm_server_en.key
#openssl req -new -SM3 -key gm_server_en.key -out gm_server_en.csr
-subj "/C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS TECHNOLOGY LIMITED/OU=Sys Soft Dept/CN=192.168.218.141"
#openssl x509 -req -SM3 -days 3650 -in gm_server_en.csr
-extfile /usr/local/ssl/openssl.cnf
-extensions v3enc_req -CA gm_root.crt -CAkey gm_root.key
-set_serial 1000002001 -out gm_server_en.crt
[root@localhost certs]# cat gm_server_en.key
-----BEGIN EC PRIVATE KEY-----
MHcCAQEEIK0l3NWidqKF+ZNed5iu9kgKhEHDTb+hciRPelnBdHGvoAoGCCqBHM9V
AYItoUQDQgAElp0sj582uWI/j1sXsNSJMrCxHTzFA09c0gUa5g2ivQNJlTNGDV6p
u6pYdVK1lX9hyGEVAkDPd9ZAOFYK8k0xYQ==
-----END EC PRIVATE KEY-----
[root@localhost certs]# cat gm_server_en.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIBGDCBwAIBADBeMQswCQYDVQQGEDTjERMA8GA1UECAwIR3VhbkRvbmcxETAP
BgNVBAcMCFNoZW5aaGVuMQ8wDQYKDAZORVdQT1MxGDAWBgNVBAMMDzE5Mi4x
NjguMjE4LjE0MTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABJadLI+fNrliP49b
F7DUiTKwsR08xQNPXNIFGuYNor0DSZUzRg1eqbuqWHVStZV/YchhFQJAz3fWQDhW
CvJNMWGgADAKBggqgRzPVQGDdQNHADBEAiAw9v38G9aZPl/OWpYOcGNKZygnO4
xfvyo11PqQ1jkwIgM1sgDG6Os0lLI7LxA0F9raWgEFCO3gIpGpHt6oz2Sgw=
-----END CERTIFICATE REQUEST-----
[root@localhost certs]# cat gm_server_en.crt
-----BEGIN CERTIFICATE-----
MIIBvTCCAWOgAwIBAgIEO5rR0TAKBggqgRzPVQGDdTBTMQswCQYDVQQGEwJDTjER
MA8GA1UECAwIR3VhbkRvbmcxETAPBgNVBAcMCFNo5aaGVuMQ8wDQYDVQQKDAZO
RVdQT1MxDTALBgNVBAMMBHJvb3QwHhcNMjIwMzI5MDMyMjEzWhcNMzIwMzI2MDMy
MjEzWjBeMQswCQYDVQQGEwJDTjERMA8GA1UECAw3VhbkRvbmcxETAPBgNVBAcM
CFNoZW5aaGVuMQ8wDQYDVQQKDAZORVdQT1MxGDAWVBAMMDzE5Mi4xNjguMjE4
LjE0MTBZMBMGByqGSM49AgEGCCqBHM9VAYItA0IABJadLI+fNrliP49bF7DUiTKw
sR08xQNPXNIFGuYNor0DSZUzRg1eqbuqWHVStZV/YchhFQJAz3fWQDhWCvJNMWGj
GjAYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgM4MAoqBHM9VAYN1A0gAMEUCIQDc
zfe+Cx2TEbywd/VWWAm1b7tMGAa/FJ2o5RLzuI4MtgIgNcepiXQY7PJwvMNMJjDZ
pQJSMlocRBh+/DxBuj7FwC0=
-----END CERTIFICATE-----
服务端证书链(证书排序:签名在前,加密后,CA证书最后):
# cat gm_server_sg.crt gm_server_en.crt gm_root.crt > gm_server.crt
[root@localhost certs]# cat gm_server.crt
-----BEGIN CERTIFICATE-----
MIIBvjCCAWOgAwIBAgIEO5rKATAKBggqgRzPVQGDdTBTMQswCQYDVQQGEwJDTjER
.........
DMGZtd1FQ8luz9ZdlHpexiVr
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIBvTCCAWOgAwIBAgIEO5rR0TAKBggqgRzPVQGDdTBTMQswCQYDVQQGEwJDTjER
.........
pQJSMlocRBh+/DxBuj7FwC0=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIB7zCCAZagAwIBAgIJAMN6EeNMRT/VMAoGCCqBHM9VAYN1MFMxCzAJBgNVBAYT
.........
LMDwqqqbFFO8U4YYB4jXA6rv9g==
-----END CERTIFICATE-----
验证:
#gmssl s_server -port 9443
-key ./gm_server_sg.key -cert ./gm_server_sg.crt
-dkey ./gm_server_en.key -dcert ./gm_server_en.crt
[-CAfile ./gm_root.crt]
#gmssl s_client -connect localhost:9443
#gmssl s_client -connect localhost:9443
-key ./gm_client_sg.key -cert ./gm_client_sg.crt [-CAfile ./gm_root.crt]
3. 编译安装Nginx
http://nginx.org/download/nginx-1.20.1.tar.gz 下载 nginx-1.20.1.tar.gz
#tar -zxvf nginx-1.20.1.tar.gz
#cd nginx-1.20.1
#./configure --help
#./configure --prefix=/usr/local/nginx1.20.1 --with-http_ssl_module --with-debug
#make & make install
# /usr/local/nginx1.20.1/sbin/nginx -t 检查
# /usr/local/nginx1.20.1/sbin/nginx 启动nginx
#netstat -antup | grep nginx 查看监听端口
#ps aux | grep nginx 查看进程
关闭防火墙:systemctl stop firewalld.service
浏览器访问:http://192.168.218.141/
/usr/local/nginx1.20.1/conf/nginx.conf 设置日志为调试级别
error_log logs/error.log debug;
# /usr/local/nginx1.20.1/sbin/nginx -t 检查
# /usr/local/nginx1.20.1/sbin/nginx -s reload 重启
4. Nginx国密单向认证
/usr/local/nginx1.20.1/conf/nginx.conf新增
server {
listen 1443 ssl;
server_name www.xxxx.com;
ssl_certificate /root/certs/gm_server_sg.crt; # 签名证书
ssl_certificate_key /root/certs/gm_server_sg.key;
ssl_certificate /root/certs/gm_server_en.crt; # 加密证书
ssl_certificate_key /root/certs/gm_server_en.key;
ssl_session_cache shared:SSL:1m; # 这里是开启缓存 大小1M
ssl_session_timeout 5m; # 指定客户端可以重用会话参数的时间(超时之后不可使用)
#ssl_protocols TLSv1.2 TLSv1.3 GMTLS;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# 查看支持ciphers:openssl ciphers -s
ssl_ciphers ECDHE-SM2-WITH-SMS4-GCM-SM3:SM2-WITH-SMS4-SM3;
# 指定ciphers
ssl_prefer_server_ciphers on;
# 设置协商加密算法时优先使用服务端的加密套件而不是客户端
location / {
root html;
index index.html index.htm;
}
}
# /usr/local/nginx1.20.1/sbin/nginx -t 检查
# /usr/local/nginx1.20.1/sbin/nginx -s reload 重启
360版浏览器:
https://browser.360.cn/se/ver/gmzb.html 需要在设置->安全设置中开启国密支持
可信浏览器:
https://dl.qianxin.com/c8a52014-99d3-57ff/国密开发者专版-20220208/qaxbrowser_1.1.40095.52.exe
浏览器验证:https://192.168.218.141:1443/
浏览器访问时使用的cipher: SM2-WITH-SMS4-SM3