1. 创建根证书密钥、服务器证书私钥、客户端证书私钥:
openssl genrsa -out root.key 2048
openssl genrsa -out server.key 2048
openssl genrsa -out client.key 2048
3. 创建证书申请请求
openssl req -new -key root.key -out root.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key client.key -out client.csr
注意这三个csr文件,除了 COMMON NAME 不同,其他必填内容要相同。root.csr 的Common Name填root,server.csr和client.csr的都可以填成localhost或者本机ip:192.168.xx.yy。
4. 创建根证书,用根证书签发服务器证书和客户端证书
openssl x509 -req -in root.csr -signkey root.key -out root.crt
openssl x509 -req -days 365 -in server.csr -CA root.crt -CAkey root.key -set_serial 01 -out server.crt
openssl x509 -req -days 365 -in client.csr -CA root.crt -CAkey root.key -set_serial 01 -out client.crt
5. 配置nginx支持双向认证:
编辑nginx.conf文件:
ssl_certificate C://nginx-1.16.1//ssl//CA2//server.crt;
ssl_certificate_key C://nginx-1.16.1//ssl//CA2//server.key;
ssl_client_certificate C://nginx-1.16.1//ssl//CA2//root.crt;
ssl_verify_client on; #双向认证
6. 重启 nginx
注意在 windows 目录下一定要在 nginx.exe 所在目录下执行命令,否则会报错。
ngxin -s reload
7. 测试
这里使用 openssl 的 s_client 命令进行测试,注意命令执行后,TLS通道建立,命令行处于等待状态,需要手动输入 GET / 才会返回nginx的web页面。
C:\nginx-1.16.1\ssl\CA2>openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile root.crt
CONNECTED(000003E4)
Can't use SSL_get_servername
depth=1 C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root
verify return:1
depth=0 C = cn, ST = sh, L = sh, O = bt, OU = test, CN = localhost
verify return:1
---
Certificate chain
0 s:C = cn, ST = sh, L = sh, O = bt, OU = test, CN = localhost
i:C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCAQEwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCY24xCzAJBgNV
BAgMAnNoMQswCQYDVQQHDAJzaDELMAkGA1UECgwCYnQxDTALBgNVBAsMBHRlc3Qx
DTALBgNVBAMMBHJvb3QwHhcNMjAwNTExMDg1MDQ1WhcNMjEwNTExMDg1MDQ1WjBX
MQswCQYDVQQGEwJjbjELMAkGA1UECAwCc2gxCzAJBgNVBAcMAnNoMQswCQYDVQQK
DAJidDENMAsGA1UECwwEdGVzdDESMBAGA1UEAwwJbG9jY