SSL相关概念及原料请参考OpenSSL 与 SSL 数字证书概念贴、SSL/TLS原理详解
为了便于理解,我们将CA服务器与Nginx服务器部署在两台不同的机器上:
CA: 192.168.1.100
Nginx: 192.168.1.101
1. 在两台CentOS服务器上安装OpenSSL软件
# 安装命令
[root@cd-dev01 ~]# yum install openssl openssl-devel
# 更新命令
[root@cd-dev01 ~]# yum update openssl openssl-devel
2. 配置CA服务器(192.168.1.100)
生成自签署证书的密钥
# 进入证书目录(安装了OpenSSL软件就会存在该目录)
[root@cd-dev01 ~]# cd /etc/pki/CA/
# 使用rsa加密算法生成自签署证书的密钥(此处指定密钥长度为2048)
[root@cd-dev01 CA]# openssl genrsa -out private/cakey.pem 2048
# 修改权限,增加安全性
[root@cd-dev01 CA]# chmod 600 private/cakey.pem
利用密钥生成CA服务器的证书文件, 为了方便,首先在OpenSSL配置文件中设置一些默认值
# 编辑配置文件
[root@cd-dev01 CA]# vim /etc/pki/tls/openssl.cnf
修改内容如下(部分内容):
# 找到如下部分,在签署证书时证书中会写入如下内容(大概128行)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# 配置默认国家
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
# 默认省份名称
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
# 默认城市名称
localityName_default = ChengDu
0.organizationName = Organization Name (eg, company)
# 默认公司名称
0.organizationName_default = SkyGuard
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
# 默认组织单位名称
organizationalUnitName_default = BigData
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
生成自签署证书:
#用刚刚生成的密钥文件生成一个有效期为10年的证书
[root@cd-dev01 CA]# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项使用刚刚配置的默认值,所有直接回车
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
# 此处配置CA服务器名字,建议使用DNS上能查找到的域名(测试可随便指定)
Common Name (eg, your name or your server's hostname) []:ca.skyguard.com.cn
# 此处设置管理员邮箱(测试可随便指定)
Email Address []:ca@skyguard.com.cn
创建如下两个文件
# 创建存放颁发证书的数据库文件
[root@cd-dev01 CA]# touch index.txt
# 当前颁发证书的序列号文件,颁发下一个证书时会自动加1
[root@cd-dev01 CA]# echo "00" > serial
3. 配置Nginx服务器(192.168.1.101)Https单向认证
编译安装Nginx服务器
[root@cd-dev02 ~]# wget http://nginx.org/download/nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# tar -zvxf nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# cd nginx-1.11.12
#一定要将ssl模块编译进去
[root@cd-dev02 nginx-1.11.12]# ./configure --with-http_ssl_module
[root@cd-dev02 nginx-1.11.12]# make
[root@cd-dev02 nginx-1.11.12]# make install
# 进入到Nginx目录
[root@cd-dev02 nginx-1.11.12]# cd /usr/local/nginx
配置Nginx服务器支持ssl
# 创建存放ssl先关的目录,并进入目录
[root@cd-dev02 nginx]# mkdir ssl
[root@cd-dev02 nginx]# cd ssl
# 生成本地密钥
[root@cd-dev02 ssl]# openssl genrsa 2048 > httpd.key
# 修改权限,增加安全性
[root@cd-dev02 ssl]# chmod 600 httpd.key
# 生成证书申请文件,以便传入CA服务器申请证书
[root@cd-dev02 ssl]# openssl req -new -key httpd.key -out httpd.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下几项与CA服务器信息保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:ChengDu
Organization Name (eg, company) [Default Company Ltd]:SkyGuard
Organizational Unit Name (eg, section) []:BigData
# Nginx中虚拟主机名,只对该虚拟主机的请求加密
Common Name (eg, your name or your server's hostname) []:nginx.skyguard.com.cn
# 管理员邮箱
Email Address []:nginx@skyguard.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
# 设置单独密码,忽略即可
A challenge password []:
An optional company name []
# 将证书申请文件传输到CA服务器,
[root@cd-dev02 ssl]# scp httpd.crq 192.168.1.100:/tmp/
登录到CA服务器(192.168.1.100)对证书进行签署,切换到CA目录
[root@cd-dev01 CA]# openssl ca -in /tmp/httpd.crq -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 25 05:25:03 2017 GMT
Not After : Mar 23 05:25:03 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = SiChuan
organizationName = SkyGuard
organizationalUnitName = BigData
commonName = nginx.skyguard.com.cn
emailAddress = nginx@skyguard.com.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F2:09:FE:0E:53:0D:00:1C:DB:FA:0D:B0:2F:76:A4:4E:5E:23:18:3C
X509v3 Authority Key Identifier:
keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D
Certificate is to be certified until Mar 23 05:25:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 将证书传回Nginx服务器的ssl目录中
[root@cd-dev01 CA]# scp /tmp/httpd.crt 192.168.1.101:/usr/local/nginx/ssl/
# 删除CA服务器上的crq与crt文件
[root@cd-dev01 CA]# rm -rf /tmp/httpd.crq /tmp/httpd.crt
登录到Nginx服务器(192.168.1.101)配置Nginx
[root@cd-dev02 nginx]# vim conf/nginx.conf
# 增加如下虚拟主机
server {
listen 443 ssl;
server_name nginx.skyguard.com.cn;
ssl on;
ssl_certificate ../ssl/httpd.crt;
ssl_certificate_key ../ssl/httpd.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx
然后用浏览器打开https://192.168.1.101
4. 配置Nginx服务器(192.168.1.101)Httpss双向认证
在CA服务器(192.168.1.100)上生成客户端证书
[root@cd-dev01 CA]# mkdir users
[root@cd-dev01 CA]# openssl genrsa 2048 > users/client.key
Generating RSA private key, 2048 bit long modulus
.............+++
......................+++
e is 65537 (0x10001)
[root@cd-dev01 CA]# openssl req -new -key ./users/client.key -out ./users/client.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
Common Name (eg, your name or your server's hostname) []:client.skyguard.com.cn
Email Address []:client@skyguard.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cd-dev01 CA]# openssl ca -in ./users/client.crq -out ./users/client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 25 06:17:27 2017 GMT
Not After : Mar 23 06:17:27 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = SiChuan
organizationName = SkyGuard
organizationalUnitName = BigData
commonName = client.skyguard.com.cn
emailAddress = client@skyguard.com.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:00:A4:37:14:80:FC:30:DC:7A:88:D4:03:09:7C:90:34:91:F5:7C
X509v3 Authority Key Identifier:
keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D
Certificate is to be certified until Mar 23 06:17:27 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
# 导出浏览器识别的证书格式
[root@cd-dev01 CA]# openssl pkcs12 -export -clcerts -in ./users/client.crt -inkey ./users/client.key -out ./users/client.p12
# 无密码直接回车
Enter Export Password:
Verifying - Enter Export Password:
# 将CA自签署证书复杂到Nginx服务器
[root@cd-dev01 CA]# scp cacert.pem 192.168.1.101:/usr/local/nginx/ssl/
在Nginx服务器(192.168.1.101)配置开启双向认证
[root@cd-dev02 nginx]# vim conf/nginx.conf
#修改单项认证虚拟主机
server {
listen 443 ssl;
server_name nginx.skyguard.com.cn;
ssl on;
ssl_certificate ../ssl/httpd.crt;
ssl_certificate_key ../ssl/httpd.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
# 开启客户端认证
ssl_client_certificate ../ssl/cacert.pem;
ssl_verify_client on;
location / {
root html;
index index.html index.htm;
}
}
# 启动Nginx服务器
[root@cd-dev02 nginx]# ./sbin/nginx
5. Chrome浏览器中访问双向认证服务器
修改Windows的hosts文件(C:\Windows\System32\drivers\etc\hosts),加入如下一行数据
192.168.1.101 nginx.skyguard.com.cn
向浏览器导入证书,进入:设置=>显示高级设置=>管理证书
Paste_Image.png
点击导入证书
Paste_Image.png
Paste_Image.png
然后一直下一步完成即可,然后在浏览器中输入:
Paste_Image.png
