nginx ssl 双向认证

来源:互联网

Nginx的浏览器/服务器双向SSL证书认证配置

文章分类:操作系统 最近的项目中需要安全性控制,而我又懒得改动后台的程序代码,故而想在反向代理层加入SSL证书验证。 
一直在用Nginx做反向代理,但是其SSL的配置只用过普通的服务端单向证书。在Google,百度狂搜一通之后,一无所获,依旧是那老三样,只有单向认证的示例。浏览器端双向认证的配置好像从没人写过。 
无奈之下,只好从OpenSSL的客户端证书开始学起,一点一点啃,大段大段的E文让我这半瓶子醋看的头晕眼晕。最后在 
http://it.toolbox.com/blogs/securitymonkey/howto-securing-a-website-with-client-ssl-certificates-11500 
的提示下终于把这个证书搞定,来秀一个。 
这需要一下几个步骤: 
1) 安装openssl用来做证书认证 
2) 创建一个CA根证书 
3) 创建一个自签名的服务器证书 
4) 设置Nginx 
5) 创建客户端证书 
6) 安装客户端证书到浏览器 
7) Profit. 
1) 
这一步我是在ubuntu下直接apt-get装的openssl, 配置文件安装在/etc/ssl/openssl.cnf 
修改openssl.cnf的以下几段 
[ ca ] 
default_ca = foo 
Openssl将会寻找名称为foo的配置段 

1. [ foo ] 

2. dir = /etc/ssl/private

3. database = $dir/index.txt 

4. serial = $dir/serial 

5. private_key = $dir/ca.key 

6. certificate = $dir/ca.crt 

7. default_days = 3650

8. default_md = md5 

9. new_certs_dir = $dir 

10. policy = policy_match 

[ foo ]

dir = /etc/ssl/private

database = $dir/index.txt

serial = $dir/serial

private_key = $dir/ca.key

certificate = $dir/ca.crt

default_days = 3650

default_md = md5

new_certs_dir = $dir

policy = policy_match

policy_match 我保持默认值没有改

1. [ policy_match ] 

2. countryName = match 

3. stateOrProvinceName = match 

4. organizationName = match 

5. organizationalUnitName = match 

6. commonName = supplied 

7. emailAddress = optional 

[ policy_match ]

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = match

commonName = supplied

emailAddress = optional

默认签发有效期为10年,你可以自己设置一个合适的值 
2) 
创建一个新的CA根证书 
下面的几个脚本我都放在/etc/ssl目录下 
new_ca.sh:

1. #!/bin/sh 

2. # Generate the key. 

3. openssl genrsa -out private/ca.key 

4. # Generate a certificate request. 

5. openssl req -new -key private/ca.key -out private/ca.csr 

6. # Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark. 

7. # I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this

8. # service will never see the light of an unencrypted Internet see the cheap and lazy remark. 

9. # So self sign our root key. 

10. openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt 

11. # Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits. 

12. echo FACE > private/serial 

13. # Create the CA's key database. 

14. touch private/index.txt 

15. # Create a Certificate Revocation list for removing 'user certificates.'

16. openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7

#!/bin/sh

# Generate the key.

openssl genrsa -out private/ca.key

# Generate a certificate request.

openssl req -new -key private/ca.key -out private/ca.csr

# Self signing key is bad... this could work with a third party signed key... registeryfly has them on for $16 but I'm too cheap lazy to get one on a lark.

# I'm also not 100% sure if any old certificate will work or if you have to buy a special one that you can sign with. I could investigate further but since this

# service will never see the light of an unencrypted Internet see the cheap and lazy remark.

# So self sign our root key.

openssl x509 -req -days 3650 -in private/ca.csr -signkey private/ca.key -out private/ca.crt

# Setup the first serial number for our keys... can be any 4 digit hex string... not sure if there are broader bounds but everything I've seen uses 4 digits.

echo FACE > private/serial

# Create the CA's key database.

touch private/index.txt

# Create a Certificate Revocation list for removing 'user certificates.'

openssl ca -gencrl -out /etc/ssl/private/ca.crl -crldays 7

执行 sh new_ca.sh 生成新的CA证书 
3) 
生成服务器证书的脚本 
new_server.sh:

1. # Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it. 

2. openssl genrsa -out private/server.key 

3. # Take our key and create a Certificate Signing Request for it. 

4. openssl req -new -key private/server.key -out private/server.csr 

5. # Sign this bastard key with our bastard CA key. 

6. openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt 

# Create us a key. Don't bother putting a password on it since you will need it to start apache. If you have a better work around I'd love to hear it.

openssl genrsa -out private/server.key

# Take our key and create a Certificate Signing Request for it.

openssl req -new -key private/server.key -out private/server.csr

# Sign this bastard key with our bastard CA key.

openssl ca -in private/server.csr -cert private/ca.crt -keyfile private/ca.key -out private/server.crt

执行 sh new_server.sh 生成新服务器的证书 
4) 
最要命的一步,尝试多次后终于搞明白。 
配置 nginx 的ssl支持 
我的配置如下:

1. # HTTPS server 

2. # 

3. server { 

4. listen   443; 

5. server_name  localhost; 

# HTTPS server

#

server {

listen   443;

server_name  localhost;

1. # 打开ssl 

2. ssl  on; 

3. # 上一步生成的服务器证书 

4. ssl_certificate  /etc/ssl/private/server.crt; 

5. # 服务器证书公钥 

6. ssl_certificate_key  /etc/ssl/private/server.key; 

7. # 客户端证书签名 也就是第二步生成的CA签名证书 

8. ssl_client_certificate   /etc/ssl/private/ca.crt; 

9. # ssl session 超时 

10. ssl_session_timeout  5m; 

11. # 打开SSL客户端校验 (双向证书检测) 

12. ssl_verify_client on; 

13.

14. #ssl_protocols  SSLv2 SSLv3 TLSv1; 

15. #ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; 

16. ssl_prefer_server_ciphers   on; 

17.

18. location / { 

19. root   /var/www/nginx-default; 

20. index  index.html index.htm; 

21. } 

# 打开ssl

ssl  on;

# 上一步生成的服务器证书

ssl_certificate  /etc/ssl/private/server.crt;

# 服务器证书公钥

ssl_certificate_key  /etc/ssl/private/server.key;

# 客户端证书签名 也就是第二步生成的CA签名证书

ssl_client_certificate   /etc/ssl/private/ca.crt;

# ssl session 超时

ssl_session_timeout  5m;

# 打开SSL客户端校验 (双向证书检测)

ssl_verify_client on;

#ssl_protocols  SSLv2 SSLv3 TLSv1;

#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

ssl_prefer_server_ciphers   on;

location / {

root   /var/www/nginx-default;

index  index.html index.htm;

}

启动你的nginx ,等待客户连接 
5) 
现在来生成客户端证书 
new_user.sh:

1. #!/bin/sh 

2. # The base of where our SSL stuff lives. 

3. base="/etc/ssl/private"

4. # Were we would like to store keys... in this case we take the username given to us and store everything there. 

5. mkdir -p $base/users/$1/ 

6.

7. # Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key. 

8. openssl genrsa -des3 -out $base/users/$1/$1.key 1024

9. # Create a Certificate Signing Request for said key. 

10. openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr 

11. # Sign the key with our CA's key and cert and create the user's certificate out of it. 

12. openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt 

13.

14. # This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific. 

15. # The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain. 

16. # Take the same precaution with the export password that would take with any other password based authentication scheme. 

17. openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12 

#!/bin/sh

# The base of where our SSL stuff lives.

base="/etc/ssl/private"

# Were we would like to store keys... in this case we take the username given to us and store everything there.

mkdir -p $base/users/$1/

# Let's create us a key for this user... yeah not sure why people want to use DES3 but at least let's make us a nice big key.

openssl genrsa -des3 -out $base/users/$1/$1.key 1024

# Create a Certificate Signing Request for said key.

openssl req -new -key $base/users/$1/$1.key -out $base/users/$1/$1.csr

# Sign the key with our CA's key and cert and create the user's certificate out of it.

openssl ca -in $base/users/$1/$1.csr -cert $base/ca.crt -keyfile $base/ca.key -out $base/users/$1/$1.crt

# This is the tricky bit... convert the certificate into a form that most browsers will understand PKCS12 to be specific.

# The export password is the password used for the browser to extract the bits it needs and insert the key into the user's keychain.

# Take the same precaution with the export password that would take with any other password based authentication scheme.

openssl pkcs12 -export -clcerts -in $base/users/$1/$1.crt -inkey $base/users/$1/$1.key -out $base/users/$1/$1.p12

执行 sh new_user.sh yourname 来生成一个 yourname 的client证书 
按照提示一步一步来,这里要注意的是客户证书的几个项目要和根证书匹配 
也就是第一步时配置的:

1. countryName = match 

2. stateOrProvinceName = match 

3. organizationName = match 

4. organizationalUnitName = match 

countryName = match

stateOrProvinceName = match

organizationName = match

organizationalUnitName = match

不一致的话无法生成最后的客户证书 
6) 
发送上一步生成的 yourname.p12 到客户端。 
IE下双击安装就可以导入。 
FireFox安装 : 
Go into preferences. 
Advanced. 
View Certificates. 
Import. 
Enter master password for FireFox (if you don't have one set one here otherwise stolen laptop = easy access). 
Enter in the export password given to you by the dude who created your cert. 
Hit OK like a mad man. 
打开网站会弹出对话框来要求你选择使用哪个证书,选择刚才安装的证书。选择接受服务器证书。现在你可以正常访问服务器拉。如果没弄对的话就会出现400 Bad request certification的错误

发表评论