Shulou(Shulou.com)06/01 Report--

How to use SSL to achieve two-way authentication in Nginx? In view of this problem, this article introduces the corresponding analysis and answers in detail, hoping to help more partners who want to solve this problem to find a more simple and feasible way.

First create a directory

Cd / etc/nginxmkdir sslcd ssl

CA and self-signature

Make CA private key

Openssl genrsa-out ca.key 2048

Make CA root certificate (public key)

Openssl req-new-x509-days 3650-key ca.key-out ca.crt

Note:

1. Common Name can be filled in at will.

2. Other information that needs to be filled in is filled in in order to avoid errors. Right?

Server-side certificate

Make the server-side private key:

Openssl genrsa-out server.pem 1024openssl rsa-in server.pem-out server.key

Generate an issuance request:

Openssl req-new-key server.pem-out server.csr

Note:

1. Common Name must be the domain name when accessing the service. Here, we will use the NGINX configuration under usb.dev.

2. Other information that needs to be filled in is filled in in order to avoid errors. Bar (to match the CA root certificate)

Issued with CA

Openssl x509-req-sha256-in server.csr-CA ca.crt-CAkey ca.key-CAcreateserial-days 3650-out server.crt

Client certificate

Similar to server certificate

Note:

1. Common Name can be filled in at will.

2. Other information that needs to be filled in is filled in in order to avoid errors. Bar (to match the CA root certificate)

Now that all the required certificates are ready, we can start to configure NGINX.

Nginx configuration

Server {listen 443; server_name usb.dev; index index.html; root / data/test/; ssl on; ssl_certificate / etc/nginx/ssl/server.crt; ssl_certificate_key / etc/nginx/ssl/server.key; ssl_client_certificate / etc/nginx/ssl/ca.crt; ssl_verify_client on;}

Request verification

The verification process can be selected either on another machine or locally. In order to be able to parse usb.dev, you also need to configure / etc/hosts:

Ip address usb.dev

If you use a browser to verify, you need to export the client certificate to p12 format

Openssl pkcs12-export-clcerts-in client.crt-inkey client.pem-out client.p12 on how to use SSL in Nginx to achieve two-way authentication questions is shared here, I hope the above content can be of some help to you, if you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.