ssl双向认证 -- openssl生成证书

生成证书

# 生成私钥
# --des3 加密算法
openssl genrsa -des3 -out ca.key 2048

#生成证书 
# -days有效期，天
openssl req -x509 -new -nodes -key ca.key -subj "/CN=test" -days 5000 -out ca.crt
# 或
openssl req -x509 -new -nodes -key ca.key -days 5000 -out ca.crt

#查看证书
openssl x509 -in ca.crt -text -noout



#生成服务端证书
#生成秘钥
openssl genrsa -out server.key 2048
#生成证书签名申请
#这里的/cn可以是必须添加的 是服务端的域名 或者是etc/hosts中的ip别名
openssl req -new -key server.key -subj "/CN=server" -out server.csr
#或 之后再输入详细详细
openssl req -new -key server.key -out server.csr
#查看
openssl req -text -noout -verify -in server.csr 
#生成证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 5000


#生成客户端证书
openssl genrsa -out client.key 2048
openssl req -new -key client.key -subj "/CN=client" -out client.csr
echo extendedKeyUsage=clientAuth > extfile.cnf
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -extfile extfile.cnf -out client.crt -days 5000 

生成SAN格式证书

# 生成SAN格式证书

openssl genrsa -aes256 -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -sha256 -subj "/CN=CN" -out ca.crt

openssl genrsa -out server.key 2048

openssl req -new -sha256 \
    -key server.key \
    -subj "/C=CN/OU=zz/O=aa/CN=localhost" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:*.test.com,DNS:test,DNS:192.168.1.2")) \
    -out server.csr

openssl x509 -req -days 365 \
    -in server.csr -out server.crt \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -extensions SAN \
    -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:*.test.com,DNS:test,DNS:192.168.1.2"))



openssl genrsa -out client.key 2048

openssl req -new -sha256 \
    -key client.key \
    -subj "/C=CN/OU=zz/O=aa/CN=localhost" \
    -reqexts SAN \
    -config <(cat /etc/ssl/openssl.cnf \
        <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,DNS:*.test.com,DNS:test,DNS:192.168.1.2")) \
    -out client.csr

openssl x509 -req -days 365 \
    -in client.csr -out client.pem \
    -CA ca.crt -CAkey ca.key -CAcreateserial \
    -extensions SAN \
    -extfile <(cat /etc/ssl/openssl.cnf <(printf "[SAN]\nsubjectAltName=DNS:localhost,DNS:*.test.com,DNS:test,DNS:192.168.1.2"))

证书格式转换

# .crt转.p12
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

#.p12转.pem
openssl pkcs12 -in client.p12 -out client.pem -nodes

#.key转.pem
openssl rsa -in client.key -out client.key.pem

nginx双向认证

server {
	listen 8008 ssl ; # 开启ssl
	server_name 10.10.8.208;
	
	ssl_certificate /tmp/ssl_crt/server/server.crt; # 服务端证书
	ssl_certificate_key /tmp/ssl_crt/server/server.key; # 服务端私钥
	ssl_client_certificate /tmp/ssl_crt/ca/ca.crt; # CA证书用于验证客户端证书的合法性
	ssl_trusted_certificate /tmp/ssl_crt/ca/ca.crt; # 将CA证书设为受信任的证书
	
	ssl_verify_client on; # 开启客户端证书校验
	ssl_session_cache shared:SSL:1m; # 配置共享会话缓存⼤⼩
	ssl_session_timeout 5m; # session有效期5分钟
	ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #启用指定的协议
	ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:-LOW:!aNULL:!eNULL; #加密算法
	ssl_prefer_server_ciphers on; # 优先采取服务器算法
	ssl_verify_depth 6; # 校验深度
	
	location /ssh_test {
		proxy_redirect off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://localhost:80;
	}
}