1.安装nginx
rpm -ivh http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm yum install nginx
2.配置openssl
vim /etc/pki/tls/openssl.cnf [ req_distinguished_name ] countryName = Country Name(2 letter code) countryName_default = CN countryName_min = 2 countryName_max = 2 stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = ZJ localityName = Locality Name (eg, city) localityName_default = HZ 0.organizationName = Organization Name (eg, company) 0.organizationName_default = Tech organizationalUnitName = Organizational Unit Name (eg, section) organizationalUnitName_default = Org
确保以上字段在证书,服务端证书,客户端证书一致。
创建证书的私钥
cd /etc/pki/CA/private umask 077 openssl genrsa -out cakey.pem 2048
生成自签证书
cd /etc/pki/CA/ openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
PS:填坑
openssl ca -in nginx.csr -out nginx.crt -days 3650 Using configuration from /etc/pki/tls/openssl.cnf unable to load number from /etc/pki/CA/serial error while loading serial number 140311870949192:error:0D066096:asn1 encoding routines:a2i_ASN1_INTEGER:short line:f_int.c:215:
生成过程中遇到了该错误,用一下代码解决:
cd /etc/pki/CA echo "00" >serial cat serial
创建服务器证书
mask 077 openssl genrsa -out nginx.key 1024 openssl req -new -key nginx.key -out nginx.csr openssl ca -in nginx.csr -out nginx.crt -days 3650
创建客户端证书
umask 077 openssl genrsa -out client.key 1024 openssl req -new -key client.key -out client.csr openssl ca -in client.csr -out client.crt -days 3650
PS:填坑
failed to update database TXT_DB error number 2
该错误是因为多次生成证书造成/etc/pki/CA/index.txt存在
rm -rf /etc/pki/CA/index.txt touch /etc/pki/CA/index.txt 问题解决
生成完成后进行证书类型转换
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
配置nginx服务器验证
ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_verify_client on; ##双向认证 ssl_prefer_server_ciphers on; ssl_session_timeout 5m; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_certificate nginx.crt; ssl_certificate_key nginx.key; ssl_client_certificate /etc/pki/CA/cacert.pem; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
配置本地证书
client.p12下载到本地导入即可。