生成Nginx服务器SSL证书和客户端证书

297次阅读

共计 5406 个字符，预计需要花费 14 分钟才能阅读完成。

Nginx 服务器 SSL 证书
生成 pass key

下面的命令用于生成一个 2048bit 的 pass key, -passout pass:111111 用于避免交互式输入密码

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048
Generating RSA private key, 2048 bit long modulus
………..+++
…………………+++
e is 65537 (0x10001)

生成 key

下面的命令用于生成私钥, -passin pass:111111 是和 pass key 的密码对应的, 用于避免交互式输入密码

[tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -in server.pass.key -out server.key
writing RSA key

生成证书签发请求文件(CSR)

下面的命令用于生成 csr 文件, 这里需要填写机构相关信息. 其中 CN 务必填写为对应的服务器域名. 最后那个 challenge password, 是这个 csr 的 password

[tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:iSomeone
Common Name (eg, your name or your server’s hostname) []:internal.someone.com
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:222222
An optional company name []:

发送 CSR 文件给 CA 服务商签发证书

如果是购买的 CA 服务商的 SSL 证书服务, 这一步把 CSR 发给服务商就可以了. 收到证书后将内容写入到 server.pem 文件

在 Nginx 上这样配置

server {
listen 443;
server_name www.example.com;

ssl on;
ssl_certificate /path/to/ssl/server.pem;
ssl_certificate_key /path/to/ssl/server.key;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:ssl_www_example_com:5m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
#…
location / {
#…
}
#…
}

制作自签名证书

如果是打算制作自签名证书, 则进行如下的操作生成 pem 证书

[tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -in server.csr -signkey server.key -out server.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=iSomeone/CN=internal.someone.com
Getting Private key

Nginx 客户端验证证书
Nginx 客户端验证证书和服务端 SSL 证书其实是没关系的, 你可以一边使用 CA 签发的证书, 一边使用自己制作的客户端验证证书.

生成服务器端私钥

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048
Generating RSA private key, 2048 bit long modulus
…………………………………………………………………………………………………+++
……………………………..+++
e is 65537 (0x10001)

[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in ca.pass.key -out ca.key
writing RSA key

生成服务器端证书

下面的命令会生成服务器证书 ca.pem, 用于配制到 nginx.

[tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:iSomeone
Common Name (eg, your name or your server’s hostname) []:internal.someone.com
Email Address []:

生成客户端私钥

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
Generating RSA private key, 2048 bit long modulus
……………………..+++
…..+++
e is 65537 (0x10001)

[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
writing RSA key

生成客户端证书签发请求 CSR

[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.
—–
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:Staff
Common Name (eg, your name or your server’s hostname) []:Staff
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:201907
An optional company name []:

签发客户端证书

下面的命令, 用服务端的私钥和服务端的证书, 对客户端的 CSR 进行签发, 生成服务端证书. 这里有一个 -set_serial 01 的参数, 如果签发多个客户端证书, 这个数字不能重复

[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
Getting CA Private Key

客户端证书格式转换

前面生成的证书, 不能直接用于常见的应用, 需要转换成应用需要的格式

Full PEM:

[tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem

PFX – 这里输入的 export password, 就是应用导入 PFX 证书时需要输入的密码.

[tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
Enter Export Password:
Verifying – Enter Export Password:

配置 Nginx 的客户端验证证书

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client optional; # or `on` if you require client key

：

正文完

星哥说事-微信公众号