首先,先了解一下https的驗證過程。
1、首先客戶端向服務器發送一個SSL的請求包,要求進行安全的會話,請證明你的身份,並且我們雙方來協商一下一會將用對對稱加密算法,數字簽名算法。。。。。。
----------------->
2、HTTPS server收到請求後,響應client,把S證書傳給client
<----------------
3、Client需要驗證S證書,client會有CA的證書,可以對S證書進行驗證(看是否可以解密,再看標識[服務器域名/主機名]是否對得上)。
Client需要產生一把對稱加密的KEY,通過S公鑰把KEY加密,然後傳給Server
------------------->
4、HTTPS Server用自己的私鑰解密得到KEY。隨機產生一些信息,用KEY加密,傳給Client。
<--------------------
接下來,雙方通過KEY加密頁面數據,安全傳輸
<--------------------->
我們對應上面的過程一步步進行。第一點HTTPS server應該要有自己的S證書:
openssl genrsa -des3 -out server.key 2048 #生成server的密鑰
openssl req -new -key server.key -out server.csr -days 3650 #根據上面的密鑰生成一個請求生成證書文件的請求文件,這裏僅僅是一個請求文件而起。 Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:cn State or Province Name (full name) [Berkshire]:gd Locality Name (eg, city) [Newbury]:gz Organization Name (eg, company) [My Company Ltd]:me Organizational Unit Name (eg, section) []:me Common Name (eg, your name or your server's hostname) []:lvs.xxx.com Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:123456 An optional company name []:
第二點:爲了能夠生成HTTPS server的證書,需要建立CA
openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650 #生成CA Generating a 1024 bit RSA private key .............++++++ ...........++++++ writing new private key to 'sfnca.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [GB]:cn State or Province Name (full name) [Berkshire]:gd Locality Name (eg, city) [Newbury]:gz Organization Name (eg, company) [My Company Ltd]:ca Organizational Unit Name (eg, section) []:ca Common Name (eg, your name or your server's hostname) []:mail.ca.cn Email Address []:[email protected]
第三步,在爲HTTPS Server生成證書之前,應該先進行一些準備工作
[root@mail ssl]# vim /etc/pki/tls/openssl.cnf #dir = ../../CA //修改如下 dir = /etc/pki/CA [root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根據openssl.cnf生成配置文件 [root@mail ssl]#echo 01 > /etc/pki/CA/serial [root@mail ssl]#mkdir /etc/pki/CA/newcerts
第三步就可以爲HTTPS Server生成證書了
openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
這樣客戶端訪問HTTPS Sever就可以用HTTPS進行訪問了。
同時,HTTPS Server也可以接受來自客戶端的證書,從而實現雙向的驗證。
第四步生成Client端證書
openssl genrsa -des3 -out client.key 2048 openssl req -new -key client.key -out client.csr -days 3650 openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
另外,這個certificate是BASE64形式的,要轉成PKCS12才能裝到IE,/NETSCAPE上.轉換如下:
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
最後,我們要配置一下我們HTTPS server端的nginx使其支持ssl的雙向驗證
ssl on; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; ssl_client_certificate ssl/ca.crt ; //CA證書 ssl_verify_client on; //開啓客戶端雙向認證
這樣,如果我們只是要求單向驗證的話,就不需要安裝client.p12到瀏覽器。如果我們開啓了雙向認證的話,就需要在瀏覽器中加載我們的client.p12,這樣子就可以驗證來自HTTPS server的請求了。