生成Nginx服务器SSL证书和客户端证书(2)

[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
.....+++
e is 65537 (0x10001)
 
[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
writing RSA key

生成客户端证书签发请求CSR

[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:Staff
Common Name (eg, your name or your server's hostname) []:Staff
Email Address []:
 
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:201907
An optional company name []:

签发客户端证书

下面的命令, 用服务端的私钥和服务端的证书, 对客户端的CSR进行签发, 生成服务端证书. 这里有一个 -set_serial 01 的参数, 如果签发多个客户端证书, 这个数字不能重复

[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
Getting CA Private Key

客户端证书格式转换

前面生成的证书, 不能直接用于常见的应用, 需要转换成应用需要的格式

Full PEM:

[tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem

PFX - 这里输入的export password, 就是应用导入PFX证书时需要输入的密码.

[tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
Enter Export Password:
Verifying - Enter Export Password:

配置Nginx的客户端验证证书

ssl_client_certificate /path/to/ca.pem;
ssl_verify_client optional; # or `on` if you require client key

Linux公社的RSS地址https://www.linuxidc.com/rssFeed.aspx

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/7c7f91b562d69429736ad530a31f5cbd.html