1.openssl自制证书
备注:O=公司名称 OU=公司名称
①生成根证书
openssl genrsa -out ca-key.pem 1024
openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=CA"
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650
openssl x509 -req -in ca-req.csr -out ca-cert.cer -signkey ca-key.pem -CAcreateserial -days 3650
②生成服务器证书
openssl genrsa -out server-key.pem 1024
openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=xx.com"
备注:CN=域名
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
openssl verify -CAfile ca-cert.pem server-cert.pem
③生成客户端证书
openssl genrsa -out client-key.pem 1024
openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=xx.com"
备注:CN=域名
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
openssl x509 -req -in client-req.csr -out client-cert.cer -signkey client-key.pem -CA ca-cert.cer -CAkey ca-key.pem -CAcreateserial -days 3650
openssl verify -CAfile ca-cert.pem client-cert.pem
④导出客户端证书(用户浏览器导入)
openssl pkcs12 -export -clcerts -in client-cert.cer -inkey client-key.pem -out client.p12
2.nginx配置
# HTTPS server
#
server {
listen 443 ssl;
server_name xx.com;
ssl_certificate /home/opt/ssl/3150613_xx.pem;#官网颁发
ssl_certificate_key /home/opt/ssl/3150613_xx.key;#官网颁发
ssl_client_certificate /home/opt/ht/ca-cert.pem; #自制根级证书公钥
ssl_verify_client on; #开启客户端证书验证
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。
ssl_prefer_server_ciphers on;
location /
{
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://webUpstream;
}
}