The method of configuring two-way Certificate Verification in nginx proxy Server 02/14 Update SLTechnology News&Howtos

The method of configuring two-way Certificate Verification in nginx proxy Server

2025-02-14 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Servers >

Shulou(Shulou.com)06/02 Report--

Generate certificate chain

Generate a root certificate, an intermediate certificate (intermediate), and three client certificates with a script.

The script comes from (with modification)

Https://stackoverflow.com/questions/26759550/how-to-create-own-self-signed-root-certificate-and-intermediate-ca-to-be-importe

The domain name of the intermediate certificate is localhost.

#! / bin/bash-xset-efor C in `echo root-ca roomate`; do mkdir $C cd $C mkdir certs crl newcerts private cd. Echo 1000 > $C/serial touch $C/index.txt $C/index.txt.attr echo'[ca] default_ca = CA_default [CA_default] dir ='$C' # Where everything is keptcerts = $dir/certs # Where the issued certs are keptcrl_dir = $dir/crl # Where the issued crl are keptdatabase = $dir/index.txt # database index file.new_certs_dir = $dir/newcerts # default place for new certs.certificate = $dir/cacert.pem # The CA certificateserial = $dir/serial # The current serial numbercrl = $dir/crl.pem # The current CRLprivate_key = $dir/private/ca.key.pem # The private keyRANDFILE = $dir/.rnd # private random number filenameopt = default_cacertopt = default_capolicy = policy_matchdefault_days = 365default_md = sha256 [policy_match] countryName = optionalstateOrProvinceName = optionalorganizationName = optionalorganizationalUnitName = optionalcommonName = SuppliedemailAddress = optional[ req] req_extensions = v3_reqdistinguished_name = req_distinguished_ name [req _ distinguished_name] [v3_req] basicConstraints = CA:TRUE' > $C/openssl.confdoneopenssl genrsa-out root-ca/private/ca.key 2048openssl req-config root-ca/openssl.conf-new-x509-days 3650-key root-ca/private/ca.key-sha256-extensions v3_req-out root-ca/certs/ca.crt-subj'/ CN=Root-ca'openssl genrsa-out intermediate/ Private/intermediate.key 2048openssl req-config intermediate/openssl.conf-sha256-new-key intermediate/private/intermediate.key-out intermediate/certs/intermediate.csr-subj'/ CN=localhost.'openssl ca-batch-config root-ca/openssl.conf-keyfile root-ca/private/ca.key-cert root-ca/certs/ca.crt-extensions v3_req-notext-md sha256-in intermediate/certs/intermediate.csr-out intermediate/certs/intermediate.crtmkdir outfor I in `seq 1 3` Do openssl req-new-keyout out/$I.key-out out/$I.request-days 365-nodes-subj "/ CN=$I.example.com"-newkey rsa:2048 openssl ca-batch-config root-ca/openssl.conf-keyfile intermediate/private/intermediate.key-cert intermediate/certs/intermediate.crt-out out/$I.crt-infiles out/$I.requestdone

Server

Nginx configuration

Worker_processes 1 leads events {worker_connections 1024;} stream {upstream backend {server 127.0.0.1 stream 8080;} server {listen 8888 ssl; proxy_pass backend; ssl_certificate intermediate.crt; ssl_certificate_key intermediate.key; ssl_verify_depth 2; ssl_client_certificate root.crt; ssl_verify_client optional_no_ca;}}

Client

Curl\-I\-vv\-x https://localhost:8888/\-- proxy-cert client1.crt\-- proxy-key client1.key\-- proxy-cacert ca.crt\ https://www.baidu.com/

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.