https（双向认证）流程 ssl协议理解， nginx https双向认证配置

首先学习https认证流程（单向认证或者双向认证）以及ssl基本知识：

https基础知识

理论知识转化为实际使用过程：

nginx双向认证

按照上文配置nginx后，为server.csr签名的时候没问题，但是为client.csr签名的时候报错了：

[root@hdytest03 vhost]#  openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key  
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 2 (0x2)
        Validity
            Not Before: Oct 28 06:25:11 2014 GMT
            Not After : Oct 28 06:25:11 2015 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = sh
            organizationName          = yz
            organizationalUnitName    = pd
            commonName                = cas.sse.com
            emailAddress              = 747985086@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4D:81:D7:94:63:DD:1D:21:5A:D9:E8:94:B3:55:98:5E:9F:D1:26:F7
            X509v3 Authority Key Identifier: 
                keyid:38:3C:4E:71:13:94:D4:6F:AB:A1:B7:29:8D:44:43:8C:0F:AF:05:79


Certificate is to be certified until Oct 28 06:25:11 2015 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2

百度后解决如下：

• openssl无法同时建两个crt文件——建完server.crt 后，建立client.crt时报错

解决：删掉上次server.crt时生成的demoCA/index.txt，再touch一个新的，即可。（参考这里解决）

[root@hdytest03 CA]# cd /etc/pki/CA
[root@hdytest03 CA]# ll
total 36
drwxr-xr-x. 2 root root 4096 Oct 31  2011 certs
drwxr-xr-x. 2 root root 4096 Oct 31  2011 crl
-rw-r--r--  1 root root   96 Oct 28 14:37 index.txt
-rw-r--r--  1 root root   21 Oct 28 14:37 index.txt.attr
-rw-r--r--  1 root root   21 Oct 28 14:18 index.txt.attr.old
-rw-r--r--  1 root root    0 Oct 28 14:33 index.txt.old
drwxr-xr-x. 2 root root 4096 Oct 28 14:18 newcerts
drwx------. 2 root root 4096 Oct 31  2011 private
-rw-r--r--  1 root root    3 Oct 28 14:37 serial
-rw-r--r--  1 root root    3 Oct 28 14:36 serial.old
[root@hdytest03 CA]# rm -f index.txt

重新生成一下：

# touch /etc/pki/CA/{index.txt,serial}

#echo 01 > /etc/pki/CA/serial

[root@hdytest03 vhost]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key  
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Oct 28 06:37:33 2014 GMT
            Not After : Oct 28 06:37:33 2015 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = sh
            organizationName          = yz
            organizationalUnitName    = pd
            commonName                = cas.sse.com
            emailAddress              = 747985086@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                4D:81:D7:94:63:DD:1D:21:5A:D9:E8:94:B3:55:98:5E:9F:D1:26:F7
            X509v3 Authority Key Identifier: 
                keyid:38:3C:4E:71:13:94:D4:6F:AB:A1:B7:29:8D:44:43:8C:0F:AF:05:79


Certificate is to be certified until Oct 28 06:37:33 2015 GMT (365 days)
Sign the certificate? [y/n]:y




1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

这样就ok了。。。

附上openssl配置文件：

[root@hdytest03 CA]# vim /etc/pki/tls/openssl.cnf




#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName


# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo


####################################################################
[ tsa ]


default_tsa = tsa_config1       # the default TSA section


[ tsa_config1 ]


# These are used by the TSA reply generation only.
dir             = ./demoCA              # TSA root directory
serial          = $dir/tsaserial        # The current serial number (mandatory)
crypto_device   = builtin               # OpenSSL engine to use for signing
signer_cert     = $dir/tsacert.pem      # The TSA signing certificate
                                        # (optional)
certs           = $dir/cacert.pem       # Certificate chain to include in reply
                                        # (optional)
signer_key      = $dir/private/tsakey.pem # The TSA private key (optional)


default_policy  = tsa_policy1           # Policy if request did not specify it
                                        # (optional)
other_policies  = tsa_policy2, tsa_policy3      # acceptable policies (optional)
digests         = md5, sha1             # Acceptable message digests (mandatory)
accuracy        = secs:1, millisecs:500, microsecs:100  # (optional)
clock_precision_digits  = 0     # number of digits after dot. (optional)
ordering                = yes   # Is ordering defined for timestamps?
                                # (optional, default: no)
tsa_name                = yes   # Must the TSA name be included in the reply?
                                # (optional, default: no)
ess_cert_id_chain       = no    # Must the ESS cert id chain be included?
                                # (optional, default: no)
"/etc/pki/tls/openssl.cnf" 352L, 10906C                                                                                                               352,5-33      Bot
                                # (optional, default: no)