Shulou(Shulou.com)06/02 Report--

Nginx how to achieve two-way authentication, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Client certificate generation:

1) create the root certificate private key

Openssl genrsa-out root-key.key 2048

2) create a root certificate request file

Openssl req-new-out root-req.csr-key root-key.key

The details are as follows

[root@localhost sslKey] # openssl req-new-out root-req.csr-key root-key.keyYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name ora DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter'., the field will be left blank.-Country Name (2 letter code) [XX]: cnState or Province Name (full name) []: bjLocality Name (eg) City) [Default City]: bjOrganization Name (eg, company) [Default Company Ltd]: dcOrganizational Unit Name (eg, section) []: dcCommon Name (eg, your name or your server's hostname) []: rootEmail Address []: Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []: An optional company name []:

Among them, countries, provinces and cities, companies, etc., need to be consistent with the following certificates. Just enter the car directly at the back of challenge password.

3) self-signed root certificate

Openssl x509-req-in root-req.csr-out root-cert.cer-signkey root-key.key-CAcreateserial-days 3650

4) generate a root certificate in p12 format with a password of 123456

Openssl pkcs12-export-clcerts-in root-cert.cer-inkey root-key.key-out root.p12

At this point, the client certificate is generated.

We get root-cert.cer and root.p12, import root.p12 into the browser, and turn on client authentication in nignx

Server {listen 443; server_name abc.com; ssl on; ssl_certificate cert/server.pem; ssl_certificate_key cert/server.key; ssl_client_certificate cert/root.cer; # generate cer file ssl_verify_client on; # enable check ssl_session_timeout 5m Ssl_ciphers ECDHEmurRSAMELA128MuGCMMuSHA256 location location / {proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr Proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_pass http://192.168.0.138:8081;}} is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.