https(双向认证)流程 ssl协议理解, nginx https双向认证配置
来源:互联网 发布:深入浅出sql 中文版 编辑:程序博客网 时间:2024/05/17 23:03
首先学习https认证流程(单向认证或者双向认证)以及ssl基本知识:
https基础知识
理论知识转化为实际使用过程:
nginx双向认证
按照上文配置nginx后,为server.csr签名的时候没问题,但是为client.csr签名的时候报错了:
[root@hdytest03 vhost]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Oct 28 06:25:11 2014 GMT
Not After : Oct 28 06:25:11 2015 GMT
Subject:
countryName = cn
stateOrProvinceName = sh
organizationName = yz
organizationalUnitName = pd
commonName = cas.sse.com
emailAddress = 747985086@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4D:81:D7:94:63:DD:1D:21:5A:D9:E8:94:B3:55:98:5E:9F:D1:26:F7
X509v3 Authority Key Identifier:
keyid:38:3C:4E:71:13:94:D4:6F:AB:A1:B7:29:8D:44:43:8C:0F:AF:05:79
Certificate is to be certified until Oct 28 06:25:11 2015 GMT (365 days)
Sign the certificate? [y/n]:y
failed to update database
TXT_DB error number 2
百度后解决如下:
- openssl无法同时建两个crt文件——建完server.crt 后,建立client.crt时报错
[root@hdytest03 CA]# cd /etc/pki/CA
[root@hdytest03 CA]# ll
total 36
drwxr-xr-x. 2 root root 4096 Oct 31 2011 certs
drwxr-xr-x. 2 root root 4096 Oct 31 2011 crl
-rw-r--r-- 1 root root 96 Oct 28 14:37 index.txt
-rw-r--r-- 1 root root 21 Oct 28 14:37 index.txt.attr
-rw-r--r-- 1 root root 21 Oct 28 14:18 index.txt.attr.old
-rw-r--r-- 1 root root 0 Oct 28 14:33 index.txt.old
drwxr-xr-x. 2 root root 4096 Oct 28 14:18 newcerts
drwx------. 2 root root 4096 Oct 31 2011 private
-rw-r--r-- 1 root root 3 Oct 28 14:37 serial
-rw-r--r-- 1 root root 3 Oct 28 14:36 serial.old
[root@hdytest03 CA]# rm -f index.txt
重新生成一下:
# touch /etc/pki/CA/{index.txt,serial}
#echo 01 > /etc/pki/CA/serial
[root@hdytest03 vhost]# openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for ca.key:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Oct 28 06:37:33 2014 GMT
Not After : Oct 28 06:37:33 2015 GMT
Subject:
countryName = cn
stateOrProvinceName = sh
organizationName = yz
organizationalUnitName = pd
commonName = cas.sse.com
emailAddress = 747985086@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
4D:81:D7:94:63:DD:1D:21:5A:D9:E8:94:B3:55:98:5E:9F:D1:26:F7
X509v3 Authority Key Identifier:
keyid:38:3C:4E:71:13:94:D4:6F:AB:A1:B7:29:8D:44:43:8C:0F:AF:05:79
Certificate is to be certified until Oct 28 06:37:33 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
这样就ok了。。。
附上openssl配置文件:
[root@hdytest03 CA]# vim /etc/pki/tls/openssl.cnf
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = md5, sha1 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
"/etc/pki/tls/openssl.cnf" 352L, 10906C 352,5-33 Bot
# (optional, default: no)
- https(双向认证)流程 ssl协议理解, nginx https双向认证配置
- nginx配置ssl加密(单/双向认证、部分https)
- Nginx配置ssl加密(单双向认证、部分https)
- nginx配置ssl加密(单双向认证、部分https)
- Nginx配置ssl加密(单双向认证、部分https)
- nginx配置ssl加密(单双向认证、部分https)
- TOMCAT SSL 双向认证配置(HTTPS)
- Nginx配置https双向认证
- nginx配置https双向认证
- Nginx配置https双向认证
- Nginx配置https双向认证
- https nginx 双向认证
- 自签SSL证书实现Nginx配置https双向认证
- apache双向HTTPS SSL认证配置
- HTTPS的SSL双向认证
- Java nginx https 双向认证
- tomcat配置https双向认证
- tomcat8配置https双向认证
- Android java层与C层通过localsocket通信、通信协议制定与解析。
- linux打开或者关闭触控板
- mysql问题总结
- Android系统启动过程
- Linux 搭建 YUM 服务器
- https(双向认证)流程 ssl协议理解, nginx https双向认证配置
- ARP协议全面实战手册1.1.2设置过滤器
- SSH密钥认证
- Asterisk RealTime 更新错误
- Xcode6/iOS8 SDK 编译SDWebImage SDWebImageDownloaderOperation.m报错 Use of undeclared identifier
- wordpress载入慢 禁用谷歌字体
- 嵌入式linux交叉编译工具链搭建
- 年轻不冲动!!那你为何年轻!!
- 如何用JS得到当前页面的url信息方法