生成证书链

用脚本生成一个根证书, 一个中间证书(intermediate), 三个客户端证书.

脚本来源于(有修改)
https://stackoverflow.com/que...

中间证书的域名为 localhost.



#!/bin/bash -x

set -e

for C in `echo root-ca intermediate`; do

  mkdir $C

  cd $C

  mkdir certs crl newcerts private

  cd ..

  echo 1000 > $C/serial

  touch $C/index.txt $C/index.txt.attr

  echo '

[ ca ]

default_ca = CA_default

[ CA_default ]

dir            = '$C'    # Where everything is kept

certs          = $dir/certs                # Where the issued certs are kept

crl_dir        = $dir/crl                # Where the issued crl are kept

database       = $dir/index.txt            # database index file.

new_certs_dir  = $dir/newcerts            # default place for new certs.

certificate    = $dir/cacert.pem                # The CA certificate

serial         = $dir/serial                # The current serial number

crl            = $dir/crl.pem                # The current CRL

private_key    = $dir/private/ca.key.pem       # The private key

RANDFILE       = $dir/.rnd     # private random number file

nameopt        = default_ca

certopt        = default_ca

policy         = policy_match

default_days   = 365

default_md     = sha256

[ policy_match ]

countryName            = optional

stateOrProvinceName    = optional

organizationName       = optional

organizationalUnitName = optional

commonName             = supplied

emailAddress           = optional

[req]

req_extensions = v3_req

distinguished_name = req_distinguished_name

[req_distinguished_name]

[v3_req]

basicConstraints = CA:TRUE

' > $C/openssl.conf

done

openssl genrsa -out root-ca/private/ca.key 2048

openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'

openssl genrsa -out intermediate/private/intermediate.key 2048

openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'

openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt

mkdir out

for I in `seq 1 3` ; do

  openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048

  openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request

done

服务器

nginx 配置



worker_processes  1;

events {

    worker_connections  1024;

}

stream{

    upstream backend{

        server 127.0.0.1:8080;

    }

    server {

        listen 8888 ssl;

        proxy_pass backend;

        ssl_certificate      intermediate.crt;

        ssl_certificate_key  intermediate.key;

        ssl_verify_depth 2;

        ssl_client_certificate root.crt;

        ssl_verify_client optional_no_ca;

    }

}

客户端



curl \

  -I \

  -vv \

  -x https://localhost:8888/ \

  --proxy-cert client1.crt \

  --proxy-key client1.key \

  --proxy-cacert ca.crt \

  https://www.baidu.com/

来源:https://segmentfault.com/a/1190000018078828

nginx 代理服务器配置双向证书验证的更多相关文章

  1. nginx配置ssl双向证书

    CA根证书制作 # 创建CA私钥 openssl genrsa -out ca.key 2048 #制作CA根证书(公钥) openssl req -new -x509 -days 3650 -key ...

  2. nginx 配置 ssl 双向证书

    CA 根证书制作 # 创建 CA 私钥 openssl genrsa -out ca.key 2048 #制作 CA 根证书(公钥) openssl req -new -x509 -days 3650 ...

  3. nginx配置https双向验证(ca机构证书+自签证书)

    nginx配置https双向验证 服务端验证(ca机构证书) 客户端验证(服务器自签证书) 本文用的阿里云签发的免费证书实验,下载nginx安装ssl,文件夹有两个文件 这两个文件用于做服务器http ...

  4. CAS (5) —— Nginx代理模式下浏览器访问CAS服务器配置详解

    CAS (5) -- Nginx代理模式下浏览器访问CAS服务器配置详解 tomcat版本: tomcat-8.0.29 jdk版本: jdk1.8.0_65 nginx版本: nginx-1.9.8 ...

  5. 使用nginx代理kibana并配置登录验证

    由于kibana不支持登录验证,谁都可以访问,放到公网就不合适了,这里配置用nginx进行代理: 生成密码文件 如果安装了httpd可以用htpasswd,比较方便: htpasswd -c /roo ...

  6. haproxy代理kibana、nginx代理kibana并实现登录验证

    在使用ELK进行日志统计的时候,由于Kibana自身并没有身份验证的功能,任何人只要知道链接地址就可以正常登录到Kibana控制界面,由于日常的查询,添加和删除日志都是在同一个web中进行,这样就有极 ...

  7. nginx 反向代理及 https 证书配置

    nginx 反向代理及 https 证书配置 author: yunqimg(ccxtcxx0) 1. 编译安装nginx 从官网下载 nginx源码, 并编译安装. ./configure --pr ...

  8. 使用nginx代理kibana并设置身份验证

    1.在es-sever上安装nginx #wget http://nginx.org/download/nginx-1.8.1.tar.gz #tar xvf nginx-1.8.1.tar.gz # ...

  9. Nginx、SSL双向认证、PHP、SOAP、Webservice、https

    本文是1:1模式,N:1模式请参见新的一篇博客<SSL双向认证(高清版)> ----------------------------------------------------- 我是 ...

随机推荐

  1. 【SharePoint 2010】SharePoint 2010开发方面的课堂中整理有关问题

    SharePoint 2010开发方面的课堂中整理有关问题陈希章 ares@xizhang.com1. 对于SharePoint的体系结构不甚清楚,觉得有点乱了解了就不会觉得乱了,请理解1) 场服务 ...

  2. 给vmware虚拟机设置Ip,使用xshell远程连接Centos

    参考下面两位的分享才弄好,发表之前先对原作者表示感谢! 给Centos配置网络以及使用xshell远程连接Centos http://www.cnblogs.com/fuly550871915/p/4 ...

  3. util 常用方法

    C:\Program Files\Java\jdk1.8.0_171\src.zip!\java\lang\System.java /** * Returns the current time in ...

  4. mysql - json - look up subobjects or nested values directly by key or array index without reading all values

    w https://dev.mysql.com/doc/refman/5.7/en/json.html

  5. rabbitmq延迟队列相关

    https://blog.csdn.net/qq_26656329/article/details/77891793        --------------rabbitmq queue_decla ...

  6. flask中的blueprint

    https://blog.csdn.net/sunhuaqiang1/article/details/72803336

  7. Win查询注册表获取CPU与内存参数

    #include "stdafx.h" void dump_machine_info( HANDLE fh ) { CHAR Str[MAX_PATH*3]; CHAR MHzSt ...

  8. sdut3138: N!(计算n!中结尾零的个数)

    题目:http://acm.sdut.edu.cn/sdutoj/problem.php?action=showproblem&problemid=3138 算法思想:在1-10两个数相乘要产 ...

  9. Mozilla Network Security Services拒绝服务漏洞

    解决办法: 运行 yum update nss yum update nss

  10. 使用cygwin移植Linux的项目到Windows下之总结(转)

    使用cygwin移植Linux的项目到Windows下之总结(转) 原文 http://my.oschina.net/michaelyuanyuan/blog/68615?p=1   一.why   ...