Nginx上配置证书链
生成证书的genkeys.sh
#generate Root CA
#red color
echo -e "\033[31m1.serverRootCA:"
echo -e -n "\033[0m"
openssl genrsa -out serverRootCA.key 4096
openssl req -new -x509 -sha384 -days 3650 -key serverRootCA.key -out serverRootCA.crt
echo ""
echo -e "\033[31m2.serverCA.key:"
echo -e -n "\033[0m"
openssl genrsa -out serverCA.key 2048
echo ""
echo -e "\033[31m3.serverCA.csr:"
echo -e -n "\033[0m"
openssl req -new -key serverCA.key -out serverCA.csr
echo ""
echo -e "\033[31m4.serverCA.crt:"
echo -e -n "\033[0m"
openssl x509 -sha384 -req -in serverCA.csr -CA serverRootCA.crt -CAkey serverRootCA.key -CAcreateserial -out serverCA.crt -days 3650
echo ""
echo -e "\033[31m5.server.key:"
echo -e -n "\033[0m"
openssl genrsa -out server.key 2048
echo ""
echo -e "\033[31m6.server.csr:"
echo -e -n "\033[0m"
openssl req -new -key server.key -out server.csr
echo ""
echo -e "\033[31m7.server.crt:"
echo -e -n "\033[0m"
openssl x509 -sha256 -req -in server.csr -CA serverCA.crt -CAkey serverCA.key -CAcreateserial -out server.crt -days 3650
echo ""
echo -e "\033[31m8.clientRootCA:"
echo -e -n "\033[0m"
openssl genrsa -out clientRootCA.key 4096
openssl req -new -x509 -sha256 -days 3650 -key clientRootCA.key -out clientRootCA.crt
echo ""
echo -e "\033[31m9.clientCA.key:"
echo -e -n "\033[0m"
openssl genrsa -out clientCA.key 4096
echo ""
echo -e "\033[31m10.clientCA.csr:"
echo -e -n "\033[0m"
openssl req -new -key clientCA.key -out clientCA.csr
echo ""
echo -e "\033[31m11.clientCA.crt:"
echo -e -n "\033[0m"
openssl x509 -sha256 -req -in clientCA.csr -CA clientRootCA.crt -CAkey clientRootCA.key -CAcreateserial -out clientCA.crt -days 3650
echo ""
echo -e "\033[31m12.client.key:"
echo -e -n "\033[0m"
openssl genrsa -out client.key 2048
echo ""
echo -e "\033[31m13.client.csr:"
echo -e -n "\033[0m"
openssl req -new -key client.key -out client.csr
echo ""
echo -e "\033[31m14.client.crt:"
echo -e -n "\033[0m"
openssl x509 -sha256 -req -in client.csr -CA clientCA.crt -CAkey clientCA.key -CAcreateserial -out client.crt -days 3650
echo ""
echo -e "\033[31m15.client.pfx:"
echo -e -n "\033[0m"
openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx
cat clientCA.crt clientRootCA.crt > client.chain
cat server.crt serverCA.crt serverRootCA.crt > server.chain
nginx配置https.cof
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/keys/server.crt;
ssl_certificate_key /etc/nginx/keys/server.key;
ssl_client_certificate /etc/nginx/keys/clientCA.crt;
ssl_trusted_certificate /etc/nginx/keys/clientRootCA.crt;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
root html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
一开始使用上面的配置能用,正常的配置应该如下:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /etc/nginx/keys/server.chain;
ssl_certificate_key /etc/nginx/keys/server.key;
ssl_client_certificate /etc/nginx/keys/client.chain;
#ssl_trusted_certificate /etc/nginx/keys/clientRootCA.crt;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
root html;
index index.html;
location / {
try_files $uri $uri/ =404;
}
}
windows测试:
安装serverRootCA.crt clientRootCA.crt 到受信任的根证书颁发机构
安装serverCA.crt clientCA.crt 到中间证书颁发机构
浏览器安装client.pfx