Shulou(Shulou.com)05/31 Report--

This article mainly introduces "how nginx configures ssl two-way authentication". In daily operation, I believe many people have doubts about how nginx configures ssl two-way verification. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts of "how to configure ssl two-way authentication in nginx". Next, please follow the editor to study!

1. Install nginx

2. Use openssl to implement Certificate Authority.

Since openssl is used to set up a private certificate authority, make sure that the following fields are the same in the certificate authority's certificate, server certificate, and client certificate

Country name

State or province name

Locality name

Organization name

Organizational unit name

Edit Certificate Authority profile

Vim / etc/pki/tls/openssl.cnf

[ca_default]

Dir = / etc/pki/ca

Certs = $dir/certs # where the issued certs are kept

Crl_dir = $dir/crl # where the issued crl are kept

Database = $dir/index.txt # database index file.

# unique_subject = no # set to 'no' to allow creation of

# several ctificates with same subject.

New_certs_dir = $dir/newcerts # default place for new certs.

Certificate = $dir/cacert.pem # the ca certificate

Serial = $dir/serial # the current serial number

Crlnumber = $dir/crlnumber # the current crlnumber # must be commented out to leave a v1 crl

Crl = $dir/crl.pem # the current crl

Private_key = $dir/private/cakey.pem# the private key

Randfile = $dir/private/.rand # private random number file

[req_distinguished_name]

Countryname = countryname (2 letter code)

Countryname_default = cn

Countryname_min = 2

Countryname_max = 2

Stateorprovincename = stateorprovincename (full name)

Stateorprovincename_default = fj

Localityname = localityname (eg, city)

Localityname_default = fz

0.organizationname = organizationname (eg, company)

0.organizationname_default = zdz

Organizationalunitname = organizationalunitname (eg, section)

Organizationalunitname_default = zdz

Create certificate private key

Cd / etc/pki/ca/private

(umask 07710 OpenSSL genrsa-out cakey.pem 2048)

Generate self-signed certificate

Cd / etc/pki/ca/

Openssl req-new-x509-key private/cakey.pem-out cacert.pem-days=3655

3. Create a server certificate

Mkdir / usr/local/nginx/ssl

Cd / usr/local/nginx/ssl

(umask 07710 OpenSSL genrsa-out nginx.key 1024)

Openssl req-new-key nginx.key-out nginx.csr

Openssl ca-in nginx.csr-out nginx.crt-days=3650

4. Create a client browser certificate

(umask 07710 OpenSSL genrsa-out client.key 1024)

Openssl req-new-key client.key-out client.csr

Openssl ca-in client.csr-out client.crt-days=3650

Convert a certificate in text format to a certificate that can be imported into a browser

Openssl pkcs12-export-clcerts-in client.crt-inkey client.key-out client.p12

5. Configure nginx server verification

Vim / usr/local/nginx/conf/nginx.conf

Ssl on

Ssl_certificate / usr/local/nginx/ssl/nginx.crt

Ssl_certificate_key / usr/local/nginx/ssl/nginx.key

Ssl_client_certificate / usr/local/nginx/ssl/cacert.pem

Ssl_session_timeout 5m

# ssl_verify_client on; server verifies the client, which is temporarily disabled so that clients without certificates can access it. One-way verification is completed first.

Ssl_protocols sslv2 sslv3 tlsv1

Click "I am fully aware of the possible risks"

Click "add exception"

Click "confirm Security exception"

6. Configure two-way authentication

Nginx configuration enables ssl_verify_client on

Access the client browser without a certificate installed

Import a certificate in a client browser

Download the client certificate generated on the linux server to windows

Open the advanced tab of Firefox browser

Click Import in your certificate in Certificate Manager

Select a certificate and import

Refresh the web page again, pop up "use confirmation" and click OK, then two-way verification is realized.

At this point, the study on "how to configure ssl two-way authentication in nginx" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.