[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
Generating RSA private key, 2048 bit long modulus
..........................+++
.....+++
e is 65537 (0x10001)
[tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
writing RSA key
生成客户端证书签发请求CSR
[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Chaoyang
Organization Name (eg, company) [Default Company Ltd]:HenSomeone
Organizational Unit Name (eg, section) []:Staff
Common Name (eg, your name or your server's hostname) []:Staff
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:201907
An optional company name []:
签发客户端证书
下面的命令, 用服务端的私钥和服务端的证书, 对客户端的CSR进行签发, 生成服务端证书. 这里有一个 -set_serial 01 的参数, 如果签发多个客户端证书, 这个数字不能重复
[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
Signature ok
subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
Getting CA Private Key
客户端证书格式转换
前面生成的证书, 不能直接用于常见的应用, 需要转换成应用需要的格式
Full PEM:
[tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem
PFX - 这里输入的export password, 就是应用导入PFX证书时需要输入的密码.
[tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
Enter Export Password:
Verifying - Enter Export Password:
配置Nginx的客户端验证证书
ssl_client_certificate /path/to/ca.pem;
ssl_verify_client optional; # or `on` if you require client key
Linux公社的RSS地址:https://www.linuxidc.com/rssFeed.aspx