This paper is written by Deng Yayun Provide

Nginx+https Two way verification
explain :
If you want to achieve nginx Of https,nginx Must enable http_ssl modular ; Add... At compile time --with-http_ssl_module Parameter on ok. in addition
The system has to be installed openssl;openssl For open source software , stay Linux( or UNIX/Cygwin) Next, create a simple CA. We can use this CA Conduct
PKI、 Digital certificate related tests . such as , For testing Tomcat or Apache structure HTTPS Two way Authentication , We can use our own tests CA To issue the server digital certificate for the server , For the client ( browser ) Generating digital certificates in the form of files ( It can be used at the same time openssl Generate client private key )
 
1.    Check to see if the system has openssl;
rpm -qa | grepopenssl

without ,centos System use yum install openssl –y  Just install it
2.    see nginx Whether to add http_ssl modular ;
/usr/local/webserver/nginx/sbin/nginx–V

You can see that this module has been loaded
3.    The server - Client two way Authentication ; Create related directories , Store relevant certificates and key, I put it here /data/ca below , The path can be specified at will ,nginx Just find it ;
mkdir -p /data/ca

among newcerts The subdirectory will hold CA signed ( Issued by ) I've got a digital certificate ( Certificate backup directory ). and private The catalog is used to store CA The private key . Catalog conf It's just a configuration file for storing some simplified parameters ,server Store the server certificate file .
(1)  stay conf Directory creation file openssl.conf The configuration file , The contents are as follows :
[root@www9 ca]# catconf/openssl.conf
[ ca ] 
default_ca      = foo                 
[ foo ] 
dir            = /data/ca
database       = /data/ca/index.txt        
new_certs_dir  = /data/ca/newcerts
certificate    = /data/ca/private/ca.crt    
serial         = /data/ca/serial          
private_key    = /data/ca/private/ca.key
RANDFILE       = /data/ca/private/.rand 
default_days   = 365                  
default_crl_days= 30                  
default_md     = sha1   It must be set up here sha1, Other tutorials are md5, The result is that the root certificate is weakly encrypted , Or fake
unique_subject = no                   
policy         = policy_any
[ policy_any ] 
countryName = match  # Country ; such as cn, On behalf of China
stateOrProvinceName = match # State or province ;guangdong
organizationName = match  # organization , It can be understood as a company ;mbook
organizationalUnitName = match  # Organizational unit , It can also be understood as a company ;mbook
localityName            = optional # City ;guangzhou
commonName              = supplied  # Website domain name ;*.mbook.cn
emailAddress            = optional  # mailing address ;admin@mbook.cn
  notes : You can also modify it directly openssl Configuration file for , In this way, you don't need to refer to this configuration file in the code that makes the certificate later .
 
(2)  Use Script Create certificate , The following scripts are all in /data/ca/ Under the table of contents , Create a new CA Root certificate .

catcat.sh
 
#!/bin/sh
opensslgenrsa -out private/ca.key
opensslreq -new -key private/ca.key -out private/ca.csr
openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt 
echo FACE > serial 
touch index.txt 
opensslca -gencrl -out /data/ca/private/ca.crl -crldays 7 -config "/data/ca/conf/openssl.conf"
 
  perform  shca.sh Generate a new CA certificate : Some of these interactions ; As follows :

(3)  The script to generate the server certificate is as follows :
catserver.sh
 
#!/bin/bash
opensslgenrsa -out server/server.key
opensslreq -new -key server/server.key -out server/server.csr
opensslca -in server/server.csr -cert private/ca.crt -keyfile private/ca.key -out server/server.crt -config "/data/ca/conf/openssl.conf" 
 
perform  shserver.sh Generate a certificate for the new server ; The specific interaction process is the same as above , Be careful , Here, the parameters needed in the process of executing the script must be consistent with the input above , Otherwise, the whole process fails ; Detailed as follows :

(4) To configure  nginx Of ssl Support :
server
  {
listen       443;
server_name  zabbix.yayun.cn;
index index.html index.htm index.php;
root  /data/www/wwwroot/blog;
ssl     on;
ssl_certificate      /data/ca/server/server.crt;
ssl_certificate_key  /data/ca/server/server.key;
ssl_client_certificate /data/ca/private/ca.crt;
 
ssl_session_timeout  5m;
ssl_verify_client on;  # Account client certificate verification
 
ssl_protocols  SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers   on;
…………………………….
……………………………….
}
}
In order to automatically jump to https, Add the following code to the virtual host
server {
listen 80;
server_name zabbix.yayun.cn;
rewrite ^(.*) https://$server_name$1 permanent;
}
This can automatically jump to https
  start-up nginx , Waiting for the customer to connect , If you connect to the server at this time , Will prompt 400 Bad request certification Error of , So you also need to generate a client certificate . Here's the picture :

cat user.sh
 
#!/bin/sh
base="/data/ca" 
mkdir -p $base/yayun/ 
opensslgenrsa -des3 -out $base/yayun/yayun.key 2048
opensslreq -new -key $base/yayun/yayun.key -out $base/yayun/yayun.csr
opensslca -in $base/yayun/yayun.csr -cert $base/private/ca.crt -keyfile
$base/private/ca.key -out $base/yayun/yayun.crt -config
"/data/ca/conf/openssl.conf" 
openssl pkcs12 -export -clcerts -in $base/yayun/yayun.crt -inkey $base/yayun/yayun.key -out $base/yayun/yayun.p12 
 
(5) perform  shuser.sh Generate a  client certificate .
Follow the tips step by step , It should be noted that several items of the client certificate should match the root certificate .
[root@www9 ca]# sh user.sh
Generating RSA private key, 2048 bit long modulus
..........+++
............................................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for /data/ca/yayun/yayun.key: Ask for a password
Verifying - Enter pass phrase for /data/ca/yayun/yayun.key: Ask for a password
Enter pass phrase for /data/ca/yayun/yayun.key: Ask for a password , All inputs are consistent
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:cn
State or Province Name (full name) [Berkshire]:guangdong
Locality Name (eg, city) [Newbury]:guangzhou
Organization Name (eg, company) [My Company Ltd]:mbook
Organizational Unit Name (eg, section) []:mbook
Common Name (eg, your name or your server's hostname) []:*.yayun.cn
Email Address []:admin@yayun.cn
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /data/ca/conf/openssl.conf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :PRINTABLE:'guangdong'
localityName          :PRINTABLE:'guangzhou'
organizationName      :PRINTABLE:'mbook'
organizationalUnitName:PRINTABLE:'mbook'
commonName            :ASN.1 12:'*.yayun.cn'
emailAddress          :IA5STRING:'admin@yayun.cn'
Certificate is to be certified until Dec  8 16:19:58 2013 GMT (365 days)
Sign the certificate? [y/n]:y
 
 
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Enter pass phrase for /data/ca/yayun/yayun.key: The password you enter here is the password you need to import the certificate
Enter Export Password:
Verifying - Enter Export Password: ditto
In the end /data/ca/yayun The user's certificate is generated under the directory , That is, you need to import the browser

Download from the server yayun.pl2 Import browser ,Chrome Import the certificate as follows

Now visit the website again to test ;
The above is in chrome Next, import the certificate , If you use ie, Double click the certificate , Enter the certificate password , Press the prompt to import .




Finally, I successfully see the page !!!!!!!
 
Indicate the :
Children's shoes , Keep your own certificate , On the company website, you need to import the certificate , You need to visit one of the company's internal websites to get home , You also need to import certificates !!!

 

Finally, the script of automatically adding client certificate is attached , The interactive function is omitted , Because if you give 100 Personal generated certificates , Hundreds of interactions , It's going to break people down , So we used expect Automatically pass in parameters . The script is as follows :
#!/bin/bash 
#write by yayun 2013-05-29
#batch add client certificate for nginx https
 
base="/data/nginx/ca" 
 
fori in $(awk -F "@" '{print $1}' name.txt)
do
mkdir -p $base/$i/
opensslgenrsa -out $base/$i/$i.key 2048
 
Country=cn
State=guangdong
Locality=guangzhou
Organization=mbook
Common=*.mbook.cn
Passwd=P@ssw0rdmbook.cn888
Email=$i@mbook.cn
 
expect -c "
spawnopensslreq -new -key $base/$i/$i.key -out $base/$i/$i.csr
expect {
                \"*XX*\" {send \"$Country\r\"; exp_continue}
                \"*full name*\" {send \"$State\r\"; exp_continue}
                \"*Default City*\" {send \"$Locality\r\"; exp_continue}
                \"Organization*\" {send \"$Organization\r\"; exp_continue}
                \"Organizational*\" {send \"$Organization\r\"; exp_continue}
                \"*hostname*\" {send \"$Common\r\"; exp_continue}
                \"Email*\" {send \"$Email\r\"; exp_continue}
                \"*password*\" {send \"\r\"; exp_continue}
                \"*company name*\" {send \"\r\"; exp_continue}
        }
"
expect -c "
spawnopensslca -in $base/$i/$i.csr -cert $base/private/ca.crt -keyfile
$base/private/ca.key -out $base/$i/$i.crt -config
"/data/nginx/ca/conf/openssl.conf"
expect {
                \"*certificate?*\" {send \"y\r\"; exp_continue}
                \"*commit?*\" {send \"y\r\"; exp_continue}
        }
"
expect -c "
spawnopenssl pkcs12 -export -clcerts -in $base/$i/$i.crt -inkey $base/$i/$i.key -out $base/$i/$i.p12
expect {
                \"Enter*Password:\" {send \"$Passwd\r\"; exp_continue}
                \"Verifying*Password:\" {send \"$Passwd\r\"; exp_continue}
        }
"
done
among name.txt Recorded the user name , mailbox , Script auto loop read . End of the process !

Reprint please indicate linux The system operational
http://www.linuxyw.com/a/WEBfuwu/20130530/516.html

linux:Nginx+https Two way verification ( Digital security certificate ) More articles about

  1. nginx To configure https Two way verification (ca Certificate of organization + Self signed certificate )

    nginx To configure https Two way verification Server side validation (ca Certificate of organization ) Client authentication ( Server self signed certificate ) This article uses the free certificate experiment issued by Alibaba cloud , download nginx install ssl, The folder has two files These two files are used as servers http ...

  2. Java Https Two way verification

    CA: Certificate Authority, Certification authority CA certificate : A digital certificate issued by a certification authority Reference material CA Certificates and TLS Introduce HTTPS The principle and CA The certificate application ( Full of dry goods ) A one-way / Two-way authentication ...

  3. Https Two way verification and Springboot Integration testing - People come and go, I only know you

    1 brief introduction Before you know it Https Related articles have been written 6 The article , This article will be the last one on this topic , At least the last one in the near future . front 6 It's all one-way Https verification , This article will focus on bidirectional verification . Interested students can learn about the previous ...

  4. nginx https ssl Set up a trusted certificate [ Brother zhuanran ]

    nginx https ssl Set up a trusted certificate [ original ] 1. install nginx Support ssl modular http://nginx.org/en/docs/configure.html yum -y instal ...

  5. nginx https ssl Set up a trusted certificate [ original ]

    1. install nginx Support ssl modular http://nginx.org/en/docs/configure.html yum -y install openssh openssh-devel (htt ...

  6. .net core https Two way verification

    Article from :https://www.cnblogs.com/axzxs2001/p/10070562.html About https The knowledge of two-way authentication can go ahead google, This is the code . For mutual authentication , We have to be sure first of all ...

  7. ssl/https Two way authentication configuration

    1.SSL authentication No special configuration is required , Related certificate library generation look https The relevant part of certification 2.HTTPS authentication One . Basic concepts 1. One way Authentication , The transmitted data is encrypted , But it doesn't verify the source of the client   2. Two-way authentication , If the client ...

  8. ssl https Configuration of bidirectional verification and generation of certificate library

    1.SSL authentication No special configuration is required , Related certificate library generation look https The relevant part of certification 2.HTTPS authentication One . Basic concepts 1. One way Authentication , The transmitted data is encrypted , But it doesn't check client The source of the   2. Two-way authentication , hypothesis ...

  9. HTTPS Client authentication Server certificate process

    There are many articles on the Internet , But the validation process of the summary is not easy to understand . QQ Screenshot 20160420114804.png Certificate preset and Application 1: The client browser will preset the root certificate , It contains CA Public key 2: Server to CA Apply for a certificate 3: C ...

Random recommendation

  1. The first 2 Chapter Variables and basic types attach 3--- Bottom const And the top floor const

    And the English version : As we’ve seen, a pointer is an object that can point to a different object. As a result,we c ...

  2. Linq Complex structure Json Multiple tables group by

    A master table A(a1,a2), Sub table B(a1,b1,b2) , The desired result is [{a1,a2,Info [{b1,b2},{b1,b2},...}]] var list= from a in A join ...

  3. PHP Common functions and constants

    PHP Common system constants __FILE__ The full path and filename of the file . If used in the included file , Then return the included file name . since  PHP 4.0.2  rise , Always include an absolute path ( If it's a symbolic connection , It is the absolute path after analysis ), And in the ...

  4. Keil UV4 BUG( LCD with font can't display “ Count 、 just 、 too ” Look at the question )

    Keil UV3 There has always been a display of Chinese characters (0xFD) Of bug, I used to use the word library 12864 When it comes to liquid crystal ,“ Count ” Words are always not displayed properly , Later, a netizen told me that this is keil Of bug, It's solved . later keil The upgrade , I also changed the new version ...

  5. LINQ The way (2):LINQ to SQL The essence

    LINQ The way (2):LINQ to SQL The essence In the previous article, I reviewed LINQ Basic grammar rules , In this article we will introduce LINQ to SQL The essence of .LINQ to SQL yes microsoft in the light of SQL Server ...

  6. sed label

    Reprint b label , Jump to label unconditionally label, If label Is not specified , Jump to the end of the command t label , If the last of the last input s/// The subcommand was executed successfully , Jump to the tag label, If labe ...

  7. JAVA EE------XML

    1.XML Definition : In an electronic computer , A marker is a symbol of information that a computer can understand , By such a mark , Computers can process various kinds of information, such as articles, etc . It can be used to tag data . Define data types , It's a source language that allows users to define their own markup language ...

  8. 1130-Host '192.168.0.105' is not allowed to connect to this MySQL server Solutions for

    stay CentOS 7 The server (192.168.0.118) Installation on mysql5.7.17 after , In the local (192.168.0.105) adopt Navicat Connect to... On the server MySQL Report errors , The error report is shown in the picture : Paste_I ...

  9. go import Use and . _ Analysis of the role of

    go in import For importing packages . After importing, you can use the code in the package . such as : import( "fmt" ) You can use it in your code fmt Method in package , Such as : fmt.Println(" ...

  10. iOS Application Extension

    link : iOS App Extension introduction iOS10 Notice and notice extension Extension The use of, ( attach Demo) iOS10 notice extension And Content Extension