自定义SSL证书:
1.ca证书
#openssl genrsa -out ca.key 2048
#openssl req -new -key ca.key -out ca.csr
#openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
2.服务端证书
#openssl genrsa -des3 -out server.key 1024
#openssl req -new -key server.key -out server.csr
#mkdir -p ./demoCA/newcerts
#touch demoCA/index.txt
#touch demoCA/serial
#echo 01 > demoCA/serial
#openssl ca -in server.csr -out server.crt -cert ca.crt -keyfile ca.key
3.客户端证书
#openssl genrsa -des3 -out client.key 1024
#openssl req -new -key client.key -out client.csr
#rm -f demoCA/index.txt
#touch demoCA/index.txt
#openssl ca -in client.csr -out client.crt -cert ca.crt -keyfile ca.key
有时需要用到pem格式的证书,可以用以下方式合并证书文件(crt)和私钥文件(key)来生成:
#cat client.crt client.key > client.pem
#cat server.crt server.key > server.pem
浏览器导入证书需要p12格式:
#openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
4.配置nginx服务器验证
#cat /usr/local/nginx/conf/nginx.conf
listen 443 ssl spdy;
server_name www.testssl.com;
root /usr/share/nginx/html;
index index.html index.htm;
ssl on;
ssl_certificate /data/ssl/server.crt;
ssl_certificate_key /data/ssl/server.key;
#ssl_client_certificate /usr/local/nginx/ssl/ca.crt;
#ssl_verify_client on; 服务器验证客户端,暂时不开启,让没有证书的客户端可以访问,先完成单向验证,然后再验证双向认证。
#以下是开启一些优化ssl的参数
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
add_header Strict-Transport-Security "max-age=31536000";
ssl_stapling on;
ssl_stapling_verify on;
resolver 223.5.5.5 223.6.6.6 valid=300s;
resolver_timeout 10s;
5.配置客户端浏览器导入p12证书,验证双向认证。