Nginx配置HTTPS客戶端認證


Nginx配置HTTPS客戶端認證

最近折騰自己個人網站,有一個私人模塊,只能自己訪問,使用登錄授權方式雖然也能達到目的,但每次都要登錄,且密碼也不一定安全。想起學HTTPS的時,有一個客戶端證書的概念,應該可以滿足更高的安全性要求,本文記錄折騰過程。

原理

TLS握手過程,第二步Server Hello中可以要求客戶端提供證書,接着客戶端需要將服務器頒發的證書發送給服務器。服務端驗證客戶端證書,有效則使用證書公鑰加密信息發送給客戶端,客戶端通過私鑰解密所需信息,計算出Pre-master,用服務端證書公鑰加密,發送給服務器。

如果客戶端證書無效,或者過期等,服務端在收到后會斷開連接。

准備證書

主要准備三份證書:CA證書、服務器證書、客戶端證書。如果只是單個用戶需要,可以不需要CA證書,具體如何做,留給大家思考。

新建臨時工作區

    cd /root
    mkdir -p tmp/ca/conf
    cd tmp

CA證書

CA證書作為根證書,可以簽發眾多客戶端證書,在TSL握手過程中用於驗證客戶端證書是否有效。

pwd: /root/tmp/ca

第一步,生成CA證書密鑰

    openssl genrsa 2048 > ca.key

第二步,生成CA證書

    openssl req -new -x509 -key ca.key -out ca.crt -days 3650
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:XX
    State or Province Name (full name) []:XX
    Locality Name (eg, city) [Default City]:XX
    Organization Name (eg, company) [Default Company Ltd]:XX
    Organizational Unit Name (eg, section) []:XX
    Common Name (eg, your name or your server's hostname) []:XX
    Email Address []:XX

第三步,簽發證書配置文件

文件初始化

    > conf/openssl.conf
    > conf/index.txt
    echo 00 > conf/serial

conf/openssl.conf文件內容:

    [ ca ] 
    default_ca = XX                             # The default ca section 

    [ XX ] 
    dir = /root/tmp/
    new_certs_dir = /root/tmp/ca/

    certificate = /root/tmp/ca/ca.crt           # The CA cert 
    private_key = /root/tmp/ca/ca.key           # CA private key 

    database = /root/tmp/ca/conf/index.txt      # index file. 
    serial = /root/tmp/ca/conf/serial           # serial no file 

    default_days = 365                          # how long to certify for 
    default_crl_days = 30                       # how long before next CRL 
    default_md = sha1                           # message digest method to use 

    policy = policy_any                         # default policy 

    [ policy_any ] 
    countryName = optional  
    stateOrProvinceName = optional  
    organizationName = optional  
    organizationalUnitName = optional  
    localityName = optional  
    commonName = supplied  
    emailAddress = optional

配置Nginx

    ssl_client_certificate /root/tmp/ca/ca.crt; # move to nginx etc dir.
    ssl_verify_client on;

重啟Nginx

   systemctl reload nginx

服務器證書

自己服務器已經是HTTPS,不需要再准備證書,如果需要自己簽發,也很簡單,可參照客戶端證書准備過程。

客戶端證書

pwd: /root/tmp

第一步,生成客戶端密鑰

    openssl genrsa 2048 > client.key

第二步,生成證書請求文件

    openssl req -new -key client.key -out client.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:GD
    Locality Name (eg, city) [Default City]:SZ
    Organization Name (eg, company) [Default Company Ltd]:XX 
    Organizational Unit Name (eg, section) []:amsimple
    Common Name (eg, your name or your server's hostname) []:amsimple
    Email Address []:shasharoman@gmail.com

    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:
    An optional company name []:

第三步,簽發證書

    openssl ca -in client.csr -cert ca/ca.crt -keyfile ca/ca.key -out client.crt -config ca/conf/openssl.conf
    Using configuration from ca/conf/openssl.conf
    Check that the request matches the signature
    Signature ok
    The Subject's Distinguished Name is as follows
    countryName           :PRINTABLE:'CN'
    stateOrProvinceName   :ASN.1 12:'GD'
    localityName          :ASN.1 12:'SZ'
    organizationName      :ASN.1 12:'XX'
    organizationalUnitName:ASN.1 12:'amsimple'
    commonName            :ASN.1 12:'amsimple'
    emailAddress          :IA5STRING:'shasharoman@gmail.com'
    Certificate is to be certified until Mar  2 07:39:43 2019 GMT (365 days)
    Sign the certificate? [y/n]:y


    1 out of 1 certificate requests certified, commit? [y/n]y
    Write out database with 1 new entries
    Data Base Updated

第四步,轉PKCS12

    openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

第四步OK后,在本機導入P12證書,訪問頁面,需要選擇客戶端證書,選擇所導入的證書即可。

Tips:

Mac下面導入PKCS12證書時,密碼不能為空,所以轉PKCS12時,記得輸入密碼

博客原文


注意!

本站转载的文章为个人学习借鉴使用,本站对版权不负任何法律责任。如果侵犯了您的隐私权益,请联系我们删除。



 
粤ICP备14056181号  © 2014-2020 ITdaan.com