SSL相關概念及原料請參考OpenSSL 與 SSL 數字證書概念貼、SSL/TLS原理詳解
為了便于理解,我們將CA服務器與Nginx服務器部署在兩臺不同的機器上:
CA: 192.168.1.100
Nginx: 192.168.1.101
1. 在兩臺CentOS服務器上安裝OpenSSL軟件
# 安裝命令
[root@cd-dev01 ~]# yum install openssl openssl-devel
# 更新命令
[root@cd-dev01 ~]# yum update openssl openssl-devel
2. 配置CA服務器(192.168.1.100)
生成自簽署證書的密鑰
# 進入證書目錄(安裝了OpenSSL軟件就會存在該目錄)
[root@cd-dev01 ~]# cd /etc/pki/CA/
# 使用rsa加密算法生成自簽署證書的密鑰(此處指定密鑰長度為2048)
[root@cd-dev01 CA]# openssl genrsa -out private/cakey.pem 2048
# 修改權限,增加安全性
[root@cd-dev01 CA]# chmod 600 private/cakey.pem
利用密鑰生成CA服務器的證書文件, 為了方便,首先在OpenSSL配置文件中設置一些默認值
# 編輯配置文件
[root@cd-dev01 CA]# vim /etc/pki/tls/openssl.cnf
修改內容如下(部分內容):
# 找到如下部分,在簽署證書時證書中會寫入如下內容(大概128行)
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
# 配置默認國家
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
# 默認省份名稱
stateOrProvinceName_default = SiChuan
localityName = Locality Name (eg, city)
# 默認城市名稱
localityName_default = ChengDu
0.organizationName = Organization Name (eg, company)
# 默認公司名稱
0.organizationName_default = SkyGuard
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
# 默認組織單位名稱
organizationalUnitName_default = BigData
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
生成自簽署證書:
#用剛剛生成的密鑰文件生成一個有效期為10年的證書
[root@cd-dev01 CA]# openssl req -new -x509 -key ./private/cakey.pem -out cacert.pem -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下幾項使用剛剛配置的默認值,所有直接回車
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
# 此處配置CA服務器名字,建議使用DNS上能查找到的域名(測試可隨便指定)
Common Name (eg, your name or your server's hostname) []:ca.skyguard.com.cn
# 此處設置管理員郵箱(測試可隨便指定)
Email Address []:ca@skyguard.com.cn
創建如下兩個文件
# 創建存放頒發證書的數據庫文件
[root@cd-dev01 CA]# touch index.txt
# 當前頒發證書的序列號文件,頒發下一個證書時會自動加1
[root@cd-dev01 CA]# echo "00" > serial
3. 配置Nginx服務器(192.168.1.101)Https單向認證
編譯安裝Nginx服務器
[root@cd-dev02 ~]# wget http://nginx.org/download/nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# tar -zvxf nginx-1.11.12.tar.gz
[root@cd-dev02 ~]# cd nginx-1.11.12
#一定要將ssl模塊編譯進去
[root@cd-dev02 nginx-1.11.12]# ./configure --with-http_ssl_module
[root@cd-dev02 nginx-1.11.12]# make
[root@cd-dev02 nginx-1.11.12]# make install
# 進入到Nginx目錄
[root@cd-dev02 nginx-1.11.12]# cd /usr/local/nginx
配置Nginx服務器支持ssl
# 創建存放ssl先關的目錄,并進入目錄
[root@cd-dev02 nginx]# mkdir ssl
[root@cd-dev02 nginx]# cd ssl
# 生成本地密鑰
[root@cd-dev02 ssl]# openssl genrsa 2048 > httpd.key
# 修改權限,增加安全性
[root@cd-dev02 ssl]# chmod 600 httpd.key
# 生成證書申請文件,以便傳入CA服務器申請證書
[root@cd-dev02 ssl]# openssl req -new -key httpd.key -out httpd.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#以下幾項與CA服務器信息保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) [Default City]:ChengDu
Organization Name (eg, company) [Default Company Ltd]:SkyGuard
Organizational Unit Name (eg, section) []:BigData
# Nginx中虛擬主機名,只對該虛擬主機的請求加密
Common Name (eg, your name or your server's hostname) []:nginx.skyguard.com.cn
# 管理員郵箱
Email Address []:nginx@skyguard.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
# 設置單獨密碼,忽略即可
A challenge password []:
An optional company name []
# 將證書申請文件傳輸到CA服務器,
[root@cd-dev02 ssl]# scp httpd.crq 192.168.1.100:/tmp/
登錄到CA服務器(192.168.1.100)對證書進行簽署,切換到CA目錄
[root@cd-dev01 CA]# openssl ca -in /tmp/httpd.crq -out /tmp/httpd.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 0 (0x0)
Validity
Not Before: Mar 25 05:25:03 2017 GMT
Not After : Mar 23 05:25:03 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = SiChuan
organizationName = SkyGuard
organizationalUnitName = BigData
commonName = nginx.skyguard.com.cn
emailAddress = nginx@skyguard.com.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
F2:09:FE:0E:53:0D:00:1C:DB:FA:0D:B0:2F:76:A4:4E:5E:23:18:3C
X509v3 Authority Key Identifier:
keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D
Certificate is to be certified until Mar 23 05:25:03 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
# 將證書傳回Nginx服務器的ssl目錄中
[root@cd-dev01 CA]# scp /tmp/httpd.crt 192.168.1.101:/usr/local/nginx/ssl/
# 刪除CA服務器上的crq與crt文件
[root@cd-dev01 CA]# rm -rf /tmp/httpd.crq /tmp/httpd.crt
登錄到Nginx服務器(192.168.1.101)配置Nginx
[root@cd-dev02 nginx]# vim conf/nginx.conf
# 增加如下虛擬主機
server {
listen 443 ssl;
server_name nginx.skyguard.com.cn;
ssl on;
ssl_certificate ../ssl/httpd.crt;
ssl_certificate_key ../ssl/httpd.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
# 啟動Nginx服務器
[root@cd-dev02 nginx]# ./sbin/nginx
然后用瀏覽器打開https://192.168.1.101
4. 配置Nginx服務器(192.168.1.101)Httpss雙向認證
在CA服務器(192.168.1.100)上生成客戶端證書
[root@cd-dev01 CA]# mkdir users
[root@cd-dev01 CA]# openssl genrsa 2048 > users/client.key
Generating RSA private key, 2048 bit long modulus
.............+++
......................+++
e is 65537 (0x10001)
[root@cd-dev01 CA]# openssl req -new -key ./users/client.key -out ./users/client.crq
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [SiChuan]:
Locality Name (eg, city) [ChengDu]:
Organization Name (eg, company) [SkyGuard]:
Organizational Unit Name (eg, section) [BigData]:
Common Name (eg, your name or your server's hostname) []:client.skyguard.com.cn
Email Address []:client@skyguard.com.cn
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@cd-dev01 CA]# openssl ca -in ./users/client.crq -out ./users/client.crt -days 3650
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 25 06:17:27 2017 GMT
Not After : Mar 23 06:17:27 2027 GMT
Subject:
countryName = CN
stateOrProvinceName = SiChuan
organizationName = SkyGuard
organizationalUnitName = BigData
commonName = client.skyguard.com.cn
emailAddress = client@skyguard.com.cn
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
C9:00:A4:37:14:80:FC:30:DC:7A:88:D4:03:09:7C:90:34:91:F5:7C
X509v3 Authority Key Identifier:
keyid:C2:C4:46:FB:37:A8:8E:CF:38:E7:72:2F:E1:7B:35:0F:22:23:19:1D
Certificate is to be certified until Mar 23 06:17:27 2027 GMT (3650 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Update
# 導出瀏覽器識別的證書格式
[root@cd-dev01 CA]# openssl pkcs12 -export -clcerts -in ./users/client.crt -inkey ./users/client.key -out ./users/client.p12
# 無密碼直接回車
Enter Export Password:
Verifying - Enter Export Password:
# 將CA自簽署證書復雜到Nginx服務器
[root@cd-dev01 CA]# scp cacert.pem 192.168.1.101:/usr/local/nginx/ssl/
在Nginx服務器(192.168.1.101)配置開啟雙向認證
[root@cd-dev02 nginx]# vim conf/nginx.conf
#修改單項認證虛擬主機
server {
listen 443 ssl;
server_name nginx.skyguard.com.cn;
ssl on;
ssl_certificate ../ssl/httpd.crt;
ssl_certificate_key ../ssl/httpd.key;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
# 開啟客戶端認證
ssl_client_certificate ../ssl/cacert.pem;
ssl_verify_client on;
location / {
root html;
index index.html index.htm;
}
}
# 啟動Nginx服務器
[root@cd-dev02 nginx]# ./sbin/nginx
5. Chrome瀏覽器中訪問雙向認證服務器
修改Windows的hosts文件(C:\Windows\System32\drivers\etc\hosts),加入如下一行數據
192.168.1.101 nginx.skyguard.com.cn
向瀏覽器導入證書,進入:設置=>顯示高級設置=>管理證書
Paste_Image.png
點擊導入證書
Paste_Image.png
Paste_Image.png
然后一直下一步完成即可,然后在瀏覽器中輸入:
Paste_Image.png
