NGINX SSL 的双向认证

SSL工作原理

SSL的四次握手的过程

   以http+ssl为例!

 用户使用个人PC，想上招行的网银，将输入比较重要的卡号，密码信息。此时，肯定要加密方式传输数据（对称加密大量信息），并且要确定对方确定是招行网站。

ClientHTTPS Server

 1、首先客户端向服务器发送一个SSL的请求包，要求进行安全的会话，请证明你的身份，并且我们双方来协商一下一会将用对对称加密算法,数字签名算法。。。。。。

  －－－－－－－－－－－－－－－－－＞

  2、HTTPS server收到请求后，响应client，把S证书传给client

  ＜－－－－－－－－－－－－－－－－

3、Client需要验证S证书，client会有CA的证书,可以对S证书进行验证(看是否可以解密，再看标识［服务器域名／主机名］是否对得上)。

   Client需要产生一把对称加密的KEY，通过S公钥把KEY加密，然后传给Server

 －－－－－－－－－－－－－－－－－－－＞

4、HTTPS Server用自己的私钥解密得到KEY。随机产生一些信息，用KEY加密，传给Client。

  ＜－－－－－－－－－－－－－－－－－－－－

    接下来，双方通过KEY加密页面数据，安全传输

  ＜－－－－－－－－－－－－－－－－－－－－－＞

自签发证书实现过程：

1.首先要生成服务器端的私钥(key文件):

Cd /usr/local/nginx/conf/ssl

Shell#openssl genrsa -des3 -out server.key 2048

运行时会提示输入密码,此密码用于加密key文件(参数des3便是指加密算法,当然也可以选用其他你认为安全的算法.),以后每当需读取此文件(通过openssl提供的命令或API)都需输入口令.如果觉得不方便,也可以去除这个口令,但一定要采取其他的保护措施!

去除key文件口令的命令:
#openssl rsa -in server.key -out server.key

注：执行这个命令时启动NGINX 不需要输入密码

2.用server.key生成一个证书：

[root@mail ssl]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:uplooking

Organizational Unit Name (eg, section) []:uplooking

Common Name (eg, your name or your server's hostname) []:lvs.xxx.com

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

生成Certificate Signing Request（CSR）,生成的csr文件交给CA签名后形成服务端自己的证书.按照提示提供服务器证书基本信息

3.       对客户端也作同样的命令生成key及csr文件

[root@mail ssl]# openssl genrsa -des3 -out client.key 2048

[root@mail ssl]# openssl req -new -key client.key -out client.csr

Enter pass phrase for client.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:uplooking

Organizational Unit Name (eg, section) []:uplooking

Common Name (eg, your name or your server's hostname) []:lvs.xxx.com

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:

4.       生成的CSR证书文件必须有CA的签名才可形成证书.这里制作自己的CA 这时生成一个KEY文件ca.key 和根证书ca.crt

[root@mail ssl]# openssl req -new -x509 -keyout ca.key -out ca.crt

Generating a 1024 bit RSA private key

.............++++++

...........++++++

writing new private key to 'sfnca.key'

Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:cn

State or Province Name (full name) [Berkshire]:cn

Locality Name (eg, city) [Newbury]:bj

Organization Name (eg, company) [My Company Ltd]:ca

Organizational Unit Name (eg, section) []:ca

Common Name (eg, your name or your server's hostname) []:mail.ca.cn

Email Address []:[email protected]

签署证书准备工作：

[root@mail ssl]# vim /etc/pki/tls/openssl.cnf

#dir            = ../../CA      //修改如下

dir             = /etc/pki/CA

[root@mail ssl]# touch /etc/pki/CA/{index.txt,serial} //根据openssl.cnf生成配置文件

[root@mail ssl]#echo 01 > /etc/pki/CA/serial

[root@mail ssl]#mkdir /etc/pki/CA/newcerts

5. 用生成的CA的证书(ca.crt)为刚才生成的server.csr,client.csr文件签名

[root@mail ssl]# openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:

Check that the request matches the signature

Signature ok

Certificate Details:

       Serial Number: 3 (0x3)

       Validity

           Not Before: Nov 29 03:48:44 2010 GMT

           Not After : Nov 29 03:48:44 2011 GMT

       Subject:

           countryName               = cn

           stateOrProvinceName       = cn

           organizationName          = uplooking

           organizationalUnitName    = uplooking

           commonName                = lvs.xxx.com

       X509v3 extensions:

           X509v3 Basic Constraints:

               CA:FALSE

           Netscape Comment:

               OpenSSL Generated Certificate

           X509v3 Subject Key Identifier:

               02:B3:76:13:64:EB:04:D2:6C:9E:72:86:F5:A3:CE:84:19:EA:C6:DB

           X509v3 Authority Key Identifier:

               keyid:25:F6:E6:C4:5D:AD:02:DA:76:9F:74:FF:E4:0F:CC:45:55:CC:06:A7

Certificate is to be certified until Nov 29 03:48:44 2011 GMT (365 days)

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

[root@mail ssl]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key  //签署步骤同上

另外，这个certificate是BASE64形式的,要转成PKCS12才能装到IE,/NETSCAPE上.转换如下：

双击安装就行

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

这个是ISO 需要的证书格式

openssl x509 -in client.crt -out client.cer

这个是android 需要的证书格式。

[root@mail ssl]# openssl pkcs12 -export -in client.crt -inkey client.key -out  client.pfx

Enter pass phrase for client.key:      //客户端私钥密码

Enter Export Password:             //pfx文件导入要求的密码

Verifying - Enter Export Password:

client使用的文件有：ca.crt,client.crt,client.key,client.pfx

server使用的文件有：ca.crt, server.crt,server.key

配置nginx如下：

ssl on;

ssl_certificate ssl/server.crt;

ssl_certificate_key ssl/server.key;

#ssl_client_certificate ssl/client/client.crt ;

ssl_client_certificate ssl/ca.crt ;              //CA证书

ssl_verify_client on;                         //开启客户端双向认证

#ssl_protocols  SSLv2 SSLv3 TLSv1;

#ssl_ciphers  ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;

#ssl_prefer_server_ciphers   on;

证书安装及使用把刚才生成的证书：根证书ca.crt和客户证书client.crt(client.pfx)安装到客户端，
ca.crt安装到信任的机构，client.crt直接在windows安装或安装到个人证书位置，
然后用IP访问HTTP和https服务器。在IE中我们一般导入client.pfx证书，
导入时会提示上面设置的密码。 123456

测试https://lvs.xxx.com