生成证书链
用脚本生成一个根证书, 一个中间证书(intermediate), 三个客户端证书.
中间证书的域名为 localhost.
- #!/bin/bash -x
- set -e
- for C in `echo root-ca intermediate`; do
- mkdir $C
- cd $C
- mkdir certs crl newcerts private
- cd ..
- echo 1000 > $C/serial
- touch $C/index.txt $C/index.txt.attr
- echo '
- [ ca ]
- default_ca = CA_default
- [ CA_default ]
- dir = '$C' # Where everything is kept
- certs = $dir/certs # Where the issued certs are kept
- crl_dir = $dir/crl # Where the issued crl are kept
- database = $dir/index.txt # database index file.
- new_certs_dir = $dir/newcerts # default place for new certs.
- certificate = $dir/cacert.pem # The CA certificate
- serial = $dir/serial # The current serial number
- crl = $dir/crl.pem # The current CRL
- private_key = $dir/private/ca.key.pem # The private key
- RANDFILE = $dir/.rnd # private random number file
- nameopt = default_ca
- certopt = default_ca
- policy = policy_match
- default_days = 365
- default_md = sha256
- [ policy_match ]
- countryName = optional
- stateOrProvinceName = optional
- organizationName = optional
- organizationalUnitName = optional
- commonName = supplied
- emailAddress = optional
- [req]
- req_extensions = v3_req
- distinguished_name = req_distinguished_name
- [req_distinguished_name]
- [v3_req]
- basicConstraints = CA:TRUE
- ' > $C/openssl.conf
- done
- openssl genrsa -out root-ca/private/ca.key 2048
- openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'
- openssl genrsa -out intermediate/private/intermediate.key 2048
- openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'
- openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crt
- mkdir out
- for I in `seq 1 3` ; do
- openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048
- openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.request
- done
服务器
nginx 配置
- worker_processes 1;
- events {
- worker_connections 1024;
- }
- stream{
- upstream backend{
- server 127.0.0.1:8080;
- }
- server {
- listen 8888 ssl;
- proxy_pass backend;
- ssl_certificate intermediate.crt;
- ssl_certificate_key intermediate.key;
- ssl_verify_depth 2;
- ssl_client_certificate root.crt;
- ssl_verify_client optional_no_ca;
- }
- }
客户端
- curl -I -vv -x https://localhost:8888/ --proxy-cert client1.crt --proxy-key client1.key --proxy-cacert ca.crt https://www.baidu.com/
总结
以上就是这篇文章的全部内容了,希望本文的内容对大家的学习或者工作具有一定的参考学习价值,谢谢大家对w3xue的支持。如果你想了解更多相关内容请查看下面相关链接
经验首页