第1步:Nginx虚拟主机配置:
server { server_name test.local; access_log /var/log/Nginx/test.access.log; Listen 443 default ssl; keepalive_timeout 70; ssl_protocols SSLv3 TLSv1; ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5; ssl_certificate /etc/Nginx/ssl/server.crt; ssl_certificate_key /etc/Nginx/ssl/server.key; ssl_clIEnt_certificate /etc/Nginx/ssl/clIEnt.pem; ssl_verify_clIEnt on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 5m; location / { proxy_pass http://testsite.local/; }} 第2步:根和从属CA的PKI基础架构组织(基于this文章):
# mkdir ~/pki && cd ~/pki# mkdir rootCA subCA# cp -v /etc/ssl/openssl.cnf rootCA/# cd rootCA/# mkdir certs private crl newcerts; touch serial; echo 01 > serial; touch index.txt; touch crlnumber; echo 01 > crlnumber# cp -Rvp * ../subCA/
rootCA / openssl.cnf几乎没有变化:
[ CA_default ]dir = . # Where everything is kept...certificate = $dir/certs/rootca.crt # The CA certificate...private_key = $dir/private/rootca.key # The private key
和subCA / openssl.cnf:
[ CA_default ]dir = . # Where everything is kept...certificate = $dir/certs/subca.crt # The CA certificate...private_key = $dir/private/subca.key # The private key
第3步:自签名根CA证书生成:
# openssl genrsa -out ./private/rootca.key -des3 2048# openssl req -x509 -new -key ./private/rootca.key -out certs/rootca.crt -config openssl.cnfEnter pass phrase for ./private/rootca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,If you enter '.',the fIEld will be left blank.-----Country name (2 letter code) [AU]:State or Province name (full name) [Some-State]:Locality name (eg,city) []:Organization name (eg,company) [Internet WIDgits Pty Ltd]:Organizational Unit name (eg,section) []:Common name (eg,YOUR name) []:rootcaEmail Address []:
第4步:从属CA证书生成:
# cd ../subCA# openssl genrsa -out ./private/subca.key -des3 2048# openssl req -new -key ./private/subca.key -out subca.csr -config openssl.cnfEnter pass phrase for ./private/subca.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,YOUR name) []:subcaEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
步骤5:根CA证书的从属CA证书签名:
# cd ../rootCA/# openssl ca -in ../subCA/subca.csr -extensions v3_ca -config openssl.cnfUsing configuration from openssl.cnfEnter pass phrase for ./private/rootca.key:Check that the request matches the signatureSignature okCertificate Details: Serial Number: 1 (0x1) ValIDity Not Before: Feb 4 10:49:43 2013 GMT Not After : Feb 4 10:49:43 2014 GMT Subject: countryname = AU stateOrProvincename = Some-State organizationname = Internet WIDgits Pty Ltd commonname = subca X509v3 extensions: X509v3 Subject Key IDentifIEr: C9:E2:AC:31:53:81:86:3F:CD:F8:3D:47:10:FC:E5:8E:C2:DA:A9:20 X509v3 Authority Key IDentifIEr: keyID:E9:50:E6:BF:57:03:EA:6E:8F:21:23:86:BB:44:3D:9F:8F:4A:8B:F2 Dirname:/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca serial:9F:FB:56:66:8D:D3:8F:11 X509v3 Basic Constraints: CA:TRUECertificate is to be certifIEd until Feb 4 10:49:43 2014 GMT (365 days)Sign the certificate? [y/n]:y1 out of 1 certificate requests certifIEd,commit? [y/n]y...# cd ../subCA/# cp -v ../rootCA/newcerts/01.pem certs/subca.crt
步骤6:根CA(对于Nginx虚拟主机)生成和签名服务器证书:
# cd ../rootCA# openssl genrsa -out ./private/server.key -des3 2048# openssl req -new -key ./private/server.key -out server.csr -config openssl.cnfEnter pass phrase for ./private/server.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,YOUR name) []:test.localEmail Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# openssl ca -in server.csr -out certs/server.crt -config openssl.cnf
步骤7:客户端#1证书生成和根CA签名:
# openssl genrsa -out ./private/clIEnt1.key -des3 2048# openssl req -new -key ./private/clIEnt1.key -out clIEnt1.csr -config openssl.cnfEnter pass phrase for ./private/clIEnt1.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,YOUR name) []:ClIEnt #1Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# openssl ca -in clIEnt1.csr -out certs/clIEnt1.crt -config openssl.cnf
步骤8:客户端#1证书转换为PKCS12格式:
# openssl pkcs12 -export -out certs/clIEnt1.p12 -inkey private/clIEnt1.key -in certs/clIEnt1.crt -certfile certs/rootca.crt
步骤9:下属CA生成和签署客户端#2证书:
# cd ../subCA/# openssl genrsa -out ./private/clIEnt2.key -des3 2048# openssl req -new -key ./private/clIEnt2.key -out clIEnt2.csr -config openssl.cnfEnter pass phrase for ./private/clIEnt2.key:You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a distinguished name or a DN.There are quite a few fIElds but you can leave some blankFor some fIElds there will be a default value,YOUR name) []:ClIEnt #2Email Address []:Please enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:# openssl ca -in clIEnt2.csr -out certs/clIEnt2.crt -config openssl.cnf
步骤10:客户端#2证书转换为PKCS12格式:
# openssl pkcs12 -export -out certs/clIEnt2.p12 -inkey private/clIEnt2.key -in certs/clIEnt2.crt -certfile certs/subca.crt
步骤11:将服务器证书和私钥传递给Nginx(使用OS超级用户权限执行):
# cd ../rootCA/# cp -v certs/server.crt /etc/Nginx/ssl/# cp -v private/server.key /etc/Nginx/ssl/
步骤12:将根CA和从属CA证书传递给Nginx(使用OS超级用户权限执行):
# cat certs/rootca.crt > /etc/Nginx/ssl/clIEnt.pem# cat ../subCA/certs/subca.crt >> /etc/Nginx/ssl/clIEnt.pem
clIEnt.pem文件如下所示:
# cat /etc/Nginx/ssl/clIEnt.pem-----BEGIN CERTIFICATE-----MIID6TCCAtGgAwIBAgIJAJ/7VmaN048RMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnJvb3RjYTAeFw0xMzAyMDQxMDM1NTda...-----END CERTIFICATE-----Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1)...-----BEGIN CERTIFICATE-----MIID4DCCAsigAwIBAgIBatanBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDEwZyb290Y2EwHhcNMTMwMjA0MTA0OTQzWhcNMTQwMjA0...-----END CERTIFICATE-----
看起来一切正常:
# service Nginx reload# Reloading Nginx configuration: Enter PEM pass phrase:# Nginx.#
步骤13:在浏览器中安装* .p12证书(在我的情况下为firefox)给出了我上面提到的问题.客户端#1 = 200 OK,客户端#2 = 400错误请求/ SSL证书错误.任何想法我该怎么办?
更新1:SSL连接测试尝试的结果:
# openssl s_clIEnt -connect test.local:443 -CAfile ~/pki/rootCA/certs/rootca.crt -cert ~/pki/rootCA/certs/clIEnt1.crt -key ~/pki/rootCA/private/clIEnt1.key -showcertsEnter pass phrase for tmp/testcert/clIEnt1.key:CONNECTED(00000003)depth=1 C = AU,ST = Some-State,O = Internet WIDgits Pty Ltd,CN = rootcaverify return:1depth=0 C = AU,CN = test.localverify return:1---Certificate chain 0 s:/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=test.local i:/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca-----BEGIN CERTIFICATE-----MIIDpjCCAo6gAwIBAgIBAjANBgkqhkiG9w0BAQUFADBWMQswCQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQ8wDQYDVQQDEwZyb290Y2EwHhcNMTMwMjA0MTEwNjAzWhcNMTQwMjA0...-----END CERTIFICATE----- 1 s:/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca i:/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca-----BEGIN CERTIFICATE-----MIID6TCCAtGgAwIBAgIJAJ/7VmaN048RMA0GCSqGSIb3DQEBBQUAMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMTBnJvb3RjYTAeFw0xMzAyMDQxMDM1NTda...-----END CERTIFICATE--------Server certificatesubject=/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=test.localissuer=/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca---Acceptable clIEnt certificate CA names/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=subca---SSL handshake has read 3395 bytes and written 2779 bytes---New,TLSv1/SSLv3,Cipher is AES256-SHAServer public key is 2048 bitSecure Renegotiation IS supportedCompression: zlib compressionExpansion: zlib compressionSSL-Session: Protocol : TLSv1 Cipher : AES256-SHA Session-ID: 15BFC2029691262542FAE95A48078305E76EEE7D586400F8C4F7C516B0F9D967 Session-ID-ctx: Master-Key: 23246CF166E8F3900793F0A2561879E5DB07291F32E99591BA1CF53E6229491FEAE6858BFC9AACAF271D9C3706F139C7 Key-Arg : None PSK IDentity: None PSK IDentity hint: None SRP username: None TLS session ticket: 0000 - c2 5e 1d d2 b5 6d 40 23-b2 40 89 e4 35 75 70 07 .^...m@#.@..5up. 0010 - 1b bb 2b e6 e0 b5 ab 10-10 bf 46 6e aa 67 7f 58 ..+.......Fn.g.X 0020 - cf 0e 65 a4 67 5a 15 ba-aa 93 4e dd 3d 6e 73 4c ..e.gZ....N.=nsL 0030 - c5 56 f6 06 24 0f 48 e6-38 36 de f1 b5 31 c5 86 .V..$.H.86...1.. ... 0440 - 4c 53 39 e3 92 84 d2 d0-e5 e2 f5 8a 6a a8 86 b1 LS9.........j... Compression: 1 (zlib compression) Start Time: 1359989684 Timeout : 300 (sec) Verify return code: 0 (ok)---
客户端#2和根CA证书似乎一切正常,但请求返回400错误请求错误:
# openssl s_clIEnt -connect test.local:443 -CAfile ~/pki/rootCA/certs/rootca.crt -cert ~/pki/subCA/certs/clIEnt2.crt -key ~/pki/subCA/private/clIEnt2.key -showcertsEnter pass phrase for tmp/testcert/clIEnt2.key:CONNECTED(00000003)depth=1 C = AU,CN = test.localverify return:1... Compression: 1 (zlib compression) Start Time: 1359989989 Timeout : 300 (sec) Verify return code: 0 (ok)---GET / http/1.0http/1.1 400 Bad RequestServer: Nginx/0.7.67Date: Mon,04 Feb 2013 15:00:43 GMTContent-Type: text/HTMLContent-Length: 231Connection: close<HTML><head><Title>400 The SSL certificate error</Title></head><body bgcolor="white"><center><h1>400 Bad Request</h1></center><center>The SSL certificate error</center><hr><center>Nginx/0.7.67</center></body></HTML>closed
客户端#2证书和从属CA证书的验证失败:
# openssl s_clIEnt -connect test.local:443 -CAfile ~/pki/subCA/certs/subca.crt -cert ~/pki/subCA/certs/clIEnt2.crt -key ~/pki/subCA/private/clIEnt2.key -showcertsEnter pass phrase for tmp/testcert/clIEnt2.key:CONNECTED(00000003)depth=1 C = AU,CN = rootcaverify error:num=19:self signed certificate in certificate chainverify return:0... Compression: 1 (zlib compression) Start Time: 1359990354 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain)---GET / http/1.0http/1.1 400 Bad Request...
串联CA证书和客户端#2仍然会出现400错误请求错误(但客户端#1仍然可以正常运行):
# cat certs/rootca.crt ../subCA/certs/subca.crt > certs/concatenatedca.crt# openssl s_clIEnt -connect test.local:443 -CAfile ~/pki/rootCA/certs/concatenatedca.crt -cert ~/pki/subCA/certs/clIEnt2.crt -key ~/pki/subCA/private/clIEnt2.key -showcertsEnter pass phrase for tmp/testcert/clIEnt2.key:CONNECTED(00000003)depth=1 C = AU,CN = test.localverify return:1---... Compression: 1 (zlib compression) Start Time: 1359990772 Timeout : 300 (sec) Verify return code: 0 (ok)---GET / http/1.0http/1.1 400 Bad Request...
更新2:我已设法通过启用调试重新编译Nginx.以下是ClIEnt#1轨道成功连接的部分:
2013/02/05 14:08:23 [deBUG] 38701#0: *119 accept: <MY IP ADDRESS> fd:32013/02/05 14:08:23 [deBUG] 38701#0: *119 event timer add: 3: 60000:28564975122013/02/05 14:08:23 [deBUG] 38701#0: *119 kevent set event: 3: ft:-1 fl:00252013/02/05 14:08:23 [deBUG] 38701#0: *119 malloc: 28805200:6602013/02/05 14:08:23 [deBUG] 38701#0: *119 malloc: 28834400:10242013/02/05 14:08:23 [deBUG] 38701#0: *119 posix_memalign: 28860000:4096 @162013/02/05 14:08:23 [deBUG] 38701#0: *119 http check ssl handshake2013/02/05 14:08:23 [deBUG] 38701#0: *119 https ssl handshake: 0x162013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL server name: "test.local"2013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_do_handshake: -12013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_get_error: 22013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL handshake handler: 02013/02/05 14:08:23 [deBUG] 38701#0: *119 verify:1,error:0,depth:1,subject:"/C=AU /ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca",issuer: "/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca"2013/02/05 14:08:23 [deBUG] 38701#0: *119 verify:1,depth:0,subject:"/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=ClIEnt #1",issuer: "/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca"2013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_do_handshake: 12013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL: TLSv1,cipher: "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1"2013/02/05 14:08:23 [deBUG] 38701#0: *119 http process request line2013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_read: -12013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_get_error: 22013/02/05 14:08:23 [deBUG] 38701#0: *119 http process request line2013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_read: 12013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_read: 5242013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_read: -12013/02/05 14:08:23 [deBUG] 38701#0: *119 SSL_get_error: 22013/02/05 14:08:23 [deBUG] 38701#0: *119 http request line: "GET / http/1.1"
以下是ClIEnt#2轨道不成功连接的部分:
2013/02/05 13:51:34 [deBUG] 38701#0: *112 accept: <MY_IP_ADDRESS> fd:32013/02/05 13:51:34 [deBUG] 38701#0: *112 event timer add: 3: 60000:28554889752013/02/05 13:51:34 [deBUG] 38701#0: *112 kevent set event: 3: ft:-1 fl:00252013/02/05 13:51:34 [deBUG] 38701#0: *112 malloc: 28805200:6602013/02/05 13:51:34 [deBUG] 38701#0: *112 malloc: 28834400:10242013/02/05 13:51:34 [deBUG] 38701#0: *112 posix_memalign: 28860000:4096 @162013/02/05 13:51:34 [deBUG] 38701#0: *112 http check ssl handshake2013/02/05 13:51:34 [deBUG] 38701#0: *112 https ssl handshake: 0x162013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL server name: "test.local"2013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_do_handshake: -12013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_get_error: 22013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL handshake handler: 02013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_do_handshake: -12013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_get_error: 22013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL handshake handler: 02013/02/05 13:51:34 [deBUG] 38701#0: *112 verify:0,error:20,subject:"/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=subca",issuer: "/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca"2013/02/05 13:51:34 [deBUG] 38701#0: *112 verify:0,error:27,issuer: "/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=rootca"2013/02/05 13:51:34 [deBUG] 38701#0: *112 verify:1,subject:"/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=ClIEnt #2",issuer: "/C=AU/ST=Some-State/O=Internet WIDgits Pty Ltd/CN=subca"2013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_do_handshake: 12013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL: TLSv1,cipher: "AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1"2013/02/05 13:51:34 [deBUG] 38701#0: *112 http process request line2013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_read: 12013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_read: 5242013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_read: -12013/02/05 13:51:34 [deBUG] 38701#0: *112 SSL_get_error: 22013/02/05 13:51:34 [deBUG] 38701#0: *112 http request line: "GET / http/1.1"
所以我得到OpenSSL错误#20然后#27.根据验证documentation:
20 X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: unable to get local issuer certificate the issuer certificate Could not be found: this occurs if the issuer certificate of an untrusted certificate cannot be found.27 X509_V_ERR_CERT_UNTRUSTED: certificate not trusted the root CA is not marked as trusted for the specifIEd purpose.解决方法 据我所理解,
ssl_verify_depth 2;
应该做的伎俩.有关详情,请参见http://nginx.org/r/ssl_verify_depth.
总结以上是内存溢出为你收集整理的linux – 来自基于OpenSSL的分层证书颁发机构的Nginx和客户端证书全部内容,希望文章能够帮你解决linux – 来自基于OpenSSL的分层证书颁发机构的Nginx和客户端证书所遇到的程序开发问题。
如果觉得内存溢出网站内容还不错,欢迎将内存溢出网站推荐给程序员好友。
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)