1. 创建根证书密钥、服务器证书私钥、客户端证书私钥:

openssl genrsa -out root.key 2048
openssl genrsa -out server.key 2048
openssl genrsa -out client.key 2048

3. 创建证书申请请求

openssl req -new -key root.key -out root.csr
openssl req -new -key server.key -out server.csr
openssl req -new -key client.key -out client.csr

注意这三个csr文件,除了 COMMON NAME 不同,其他必填内容要相同。root.csr 的Common Name填root,server.csr和client.csr的都可以填成localhost或者本机ip:192.168.xx.yy。

4. 创建根证书,用根证书签发服务器证书和客户端证书

openssl x509 -req -in root.csr -signkey root.key -out root.crt
openssl x509 -req -days 365 -in server.csr -CA root.crt -CAkey root.key -set_serial 01 -out server.crt
openssl x509 -req -days 365 -in client.csr -CA root.crt -CAkey root.key -set_serial 01 -out client.crt

5. 配置nginx支持双向认证:

编辑nginx.conf文件:

ssl_certificate      C://nginx-1.16.1//ssl//CA2//server.crt;
ssl_certificate_key  C://nginx-1.16.1//ssl//CA2//server.key;
ssl_client_certificate C://nginx-1.16.1//ssl//CA2//root.crt;
ssl_verify_client on; #双向认证

6. 重启 nginx

注意在 windows 目录下一定要在 nginx.exe 所在目录下执行命令,否则会报错。

ngxin -s reload

7. 测试

这里使用 openssl 的 s_client 命令进行测试,注意命令执行后,TLS通道建立,命令行处于等待状态,需要手动输入 GET / 才会返回nginx的web页面。

C:\nginx-1.16.1\ssl\CA2>openssl s_client -connect localhost:443 -cert client.crt -key client.key -CAfile root.crt
CONNECTED(000003E4)
Can't use SSL_get_servername
depth=1 C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root
verify return:1
depth=0 C = cn, ST = sh, L = sh, O = bt, OU = test, CN = localhost
verify return:1
---
Certificate chain0 s:C = cn, ST = sh, L = sh, O = bt, OU = test, CN = localhosti:C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDHTCCAgUCAQEwDQYJKoZIhvcNAQELBQAwUjELMAkGA1UEBhMCY24xCzAJBgNV
BAgMAnNoMQswCQYDVQQHDAJzaDELMAkGA1UECgwCYnQxDTALBgNVBAsMBHRlc3Qx
DTALBgNVBAMMBHJvb3QwHhcNMjAwNTExMDg1MDQ1WhcNMjEwNTExMDg1MDQ1WjBX
MQswCQYDVQQGEwJjbjELMAkGA1UECAwCc2gxCzAJBgNVBAcMAnNoMQswCQYDVQQK
DAJidDENMAsGA1UECwwEdGVzdDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvKhPBeQUERKSAiiy/Y5z1V6fLiss/ZiG
tLF7dOKvrtaqzGL6lGs2ybY5p1v7wtIw3AqTwup63YDyYtghnacu26DHMlsYDIaa
tamP3+uTvDKlCTnw57ShTPhkPukIKZevv0SFyt+lEAeVM0S+zdOTlb2anA5pbOjB
eoA79LB6iVR1Ltp6nvKShBfRMk4JEp6fjPdhMwN+mX42PPkWHwHBLiRjVvRWYbFD
+g4wHjXutZ1iRWxOJe/vC+QFKCldKo19pp3S8O3WgHixTsIoJW//7q+hRMvvd6Em
3VB+rYTpd4/76O+Blp+QZJ4SvfeHX702p+2ik+6/5M7YlnlQCGmCfwIDAQABMA0G
CSqGSIb3DQEBCwUAA4IBAQBqyJ1ZflMqy5QLwCEP8CZvD+SqGJpGUQCZjiZs/v1h
BepuKVrolQCPm55NVIuEAj6xZnysjG4wpY6I+brFcUB7I9MVXyg+pKwAVEBm6tvz
kG90w1zk/0lNmC+Eyi8ElbI8/+kVGLeFQyoIjMt3EEsCqX87wVBWyUdFwKZuCEJs
UvSDjTaL50T+6DXzshU1n4UcWq2dirZ8D3g8DnS/5T+AwdiDv9xqe7cuFyxB7ajA
/5bECrgKsFnebf/3xlgoQgMwGvUUEPVlT8AgX/NxGMFwV0m63s8PXz1PAGRfkUZn
fiPbxoP5mUxNndvQha3PB07Zb+WwESuNXeJERNW4WLEp
-----END CERTIFICATE-----
subject=C = cn, ST = sh, L = sh, O = bt, OU = test, CN = localhostissuer=C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root---
Acceptable client certificate CA names
C = cn, ST = sh, L = sh, O = bt, OU = test, CN = root
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA-PSS
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2407 bytes and written 2289 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:Protocol  : TLSv1.2Cipher    : ECDHE-RSA-AES256-GCM-SHA384Session-ID: 6BE6AB220D6C28BA7CDC37CB97C050169F7A80D7CE525FBE204FFBF695795846Session-ID-ctx:Master-Key: ACD8704793E4E6C1AAD4863F298E8074AE190395FBC6E352C91243C588A9F59D6DCE8D4EEFA8FB1217B0BAE6FCC585ACPSK identity: NonePSK identity hint: NoneSRP username: NoneTLS session ticket lifetime hint: 300 (seconds)TLS session ticket:0000 - 91 67 91 07 f1 5c 29 83-8e 6a 41 9b 13 41 9f a7   .g...\)..jA..A..0010 - 21 19 77 08 93 95 0e 15-44 86 8a 7b 8c 9e 16 4e   !.w.....D..{...N0020 - 91 c1 cd d9 13 ba c7 4b-bc 8e 86 d1 4a c7 d4 16   .......K....J...0030 - cf 75 79 84 76 96 be 0a-5d d0 95 7d da d6 37 26   .uy.v...]..}..7&0040 - 65 b3 9d 12 19 fe f8 ba-1e 11 5b 79 76 67 6b 67   e.........[yvgkg0050 - 98 2a 67 58 e6 a8 27 25-59 f8 68 06 40 a8 81 96   .*gX..'%Y.h.@...0060 - 9f 39 d0 4b dd e0 41 cd-53 b5 8b 9d 67 f5 d5 04   .9.K..A.S...g...0070 - df 22 21 40 d2 6e 52 13-3e 1e 8b 53 6d 70 fb 1c   ."!@.nR.>..Smp..0080 - 29 b8 06 17 1d ef da ed-20 26 68 a9 0f ab 9e a6   )....... &h.....0090 - 07 c4 38 19 b3 d5 bd 8f-b3 08 2f 54 77 1f f7 72   ..8......./Tw..r00a0 - d9 e5 dc 06 f4 8a f3 c9-54 c4 38 c7 20 93 58 c5   ........T.8. .X.00b0 - 27 c3 28 75 85 9b ac 8b-e4 52 da 07 4b 0f ce 7b   '.(u.....R..K..{00c0 - 9b 76 f4 b6 56 23 01 c8-0b e7 8c 3d 0a df d2 ed   .v..V#.....=....00d0 - b4 80 f2 6a 7a 89 07 9a-8b ef 52 e9 56 97 75 fe   ...jz.....R.V.u.00e0 - 68 29 a4 f0 4a 6b d2 3b-1f d4 dc 92 15 d5 8e 06   h)..Jk.;........00f0 - cf a9 ea 58 83 78 39 0a-34 7c 59 74 6e ff e5 99   ...X.x9.4|Ytn...0100 - 7c 0e e0 99 ef e6 10 74-1a b7 a6 92 d6 b5 5b dc   |......t......[.0110 - 09 35 fc fa 25 73 e4 b2-22 f2 ab 61 af ea 73 13   .5..%s.."..a..s.0120 - 85 d5 44 4d 79 b7 49 e6-09 58 23 89 fb 8d 0b 0c   ..DMy.I..X#.....0130 - 97 d8 11 8c 6a 42 c3 ce-99 64 bf ce a9 4e a2 a1   ....jB...d...N..0140 - 97 e4 cd e0 09 5e 5d be-c3 3c 24 52 2e 2d 50 12   .....^]..<$R.-P.0150 - d6 13 2e d0 7d fa 31 c5-4b 64 9d 72 99 15 28 6e   ....}.1.Kd.r..(n0160 - 4c 24 1e c9 ab 57 a3 aa-e3 41 cf 51 bc 2f b1 db   L$...W...A.Q./..0170 - e5 75 50 68 37 d3 cf 9c-2e 99 e1 52 dc 95 08 b4   .uPh7......R....0180 - 82 13 79 1d a2 f2 67 ce-d7 fb c4 2b 65 60 26 1d   ..y...g....+e`&.0190 - a7 08 1a 56 0b 17 2e 52-91 c0 04 f3 c1 02 d4 ac   ...V...R........01a0 - 89 1f 5c 19 59 80 ca 27-5c c7 d3 05 03 d4 3d 06   ..\.Y..'\.....=.01b0 - 53 c7 9d 0b 90 7e d8 67-fa ed 3a 61 c7 9b 9c f0   S....~.g..:a....01c0 - e6 b1 93 a1 ea 29 67 dd-22 ce a7 40 15 33 26 3a   .....)g."..@.3&:01d0 - e7 05 55 4a f9 7a 4f 56-1a d0 63 f5 43 b3 16 0e   ..UJ.zOV..c.C...01e0 - 60 94 29 e3 bb 88 22 fd-a4 19 d8 43 44 3b 8d 47   `.)..."....CD;.G01f0 - 50 9f 8b 1f b6 2d f3 e9-ba b0 68 3b 22 0e 20 5a   P....-....h;". Z0200 - b4 97 d3 b2 3b 0c 1e 6f-2a a7 49 e6 ec 66 2c 63   ....;..o*.I..f,c0210 - 2c f2 3e 9e 31 37 d3 29-24 8d 1f bc 80 c1 d3 b6   ,.>.17.)$.......0220 - 51 4e b0 6e ca 49 74 c4-71 b3 fc 73 c7 45 42 7f   QN.n.It.q..s.EB.0230 - 01 6d 11 24 de fc 06 de-86 3c 61 8e 82 cc 10 ac   .m.$.....<a.....0240 - c2 59 71 04 4c 75 7b 9d-4a 16 10 04 35 c3 dc a9   .Yq.Lu{.J...5...0250 - d8 98 a3 99 0c 38 27 fc-32 dc 6d 28 79 d8 67 ef   .....8'.2.m(y.g.0260 - 33 af 3b f3 c2 7c 50 06-48 30 c2 22 16 7e 0f f2   3.;..|P.H0.".~..0270 - 70 9b 47 6f 02 27 c9 67-6c db 14 00 ab 13 8c a4   p.Go.'.gl.......0280 - fd 31 a1 af 48 60 a9 9d-fc 23 ef 12 1f 25 73 db   .1..H`...#...%s.0290 - da 5d 5e 85 21 0b c6 11-24 89 c2 ed 13 c6 0c f5   .]^.!...$.......02a0 - dc 97 27 f7 a7 02 2f 98-52 23 02 56 97 3b aa 95   ..'.../.R#.V.;..02b0 - 54 f5 26 89 c0 8b 14 af-bc af e9 ec 61 b4 4f 3b   T.&.........a.O;02c0 - cb f0 0a 31 90 7c b4 44-d8 de e2 f8 bf 3b 47 21   ...1.|.D.....;G!02d0 - 4a c2 57 e2 66 d6 9d 9e-e3 3f 2e 60 62 0f d8 07   J.W.f....?.`b...02e0 - c8 46 79 03 15 97 d2 ca-24 a1 22 b2 77 32 3d 8f   .Fy.....$.".w2=.02f0 - 50 f7 eb f1 1a 48 d9 ab-50 3e fc e4 97 5e 2d 39   P....H..P>...^-90300 - 95 a3 da f9 77 33 4e 91-20 78 fc 97 cf 10 18 f4   ....w3N. x......0310 - 35 b4 a2 63 78 84 62 09-e6 08 d0 02 36 d1 91 be   5..cx.b.....6...0320 - 78 36 29 75 3b 30 a8 17-5e 6b 62 ac 1d da 87 d9   x6)u;0..^kb.....0330 - e6 2d 84 53 40 ca 46 e9-bb d8 01 7a ae dd 11 0e   .-.S@.F....z....0340 - 05 dd bb 38 bc 64 42 ef-b5 d2 25 a1 f9 60 bc 81   ...8.dB...%..`..0350 - 7e af de 8f 4b cd 96 d5-dd 99 a9 f5 bb b2 de d3   ~...K...........0360 - 2c 0f 7f e6 61 df 74 cd-4f 0b d8 d4 10 b7 5c ef   ,...a.t.O.....\.0370 - 8a 81 94 ff 60 5a 19 c5-cd cf 16 79 6c aa 78 95   ....`Z.....yl.x.0380 - af 17 5f 1c 2d 61 dc a7-ff 8b db 0f c1 1d 5d 00   .._.-a........].0390 - 00 9b 57 78 09 e7 22 c8-5c 24 9f 93 b6 aa e2 be   ..Wx..".\$......03a0 - fa ff f2 96 e2 c9 02 56-12 fa db bc 7a 34 0e ad   .......V....z4..03b0 - ff 5a f5 e7 0b 59 5c 30-c6 52 18 ae 6f 5a 73 cd   .Z...Y\0.R..oZs.03c0 - eb 82 fa f8 2d 2b 59 89-22 54 69 8d 51 b9 08 fa   ....-+Y."Ti.Q...03d0 - 61 40 60 4c 1c 59 a3 c0-b1 30 77 ca a1 37 62 73   a@`L.Y...0w..7bsStart Time: 1589187204Timeout   : 7200 (sec)Verify return code: 0 (ok)Extended master secret: yes
---
GET /
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>body {width: 35em;margin: 0 auto;font-family: Tahoma, Verdana, Arial, sans-serif;}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p><p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p><p><em>Thank you for using nginx.</em></p>
</body>
</html>
closedC:\nginx-1.16.1\ssl\CA2>

8. 问题

我创建好证书配置好nginx之后,用curl命令测试一直失败,提示“ 400 没有证书可用”, 这是因为咱们客户端证书也是自签的,curl 在使用时认为它不合法,把它忽略掉了,导致 tls 协商时没法提供客户端证书。

C:\nginx-1.16.1\ssl\CA2>curl  -k --cert client.crt --key client.key --cacert root.crt  https://localhost
<html>
<head><title>400 No required SSL certificate was sent</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>No required SSL certificate was sent</center>
<hr><center>nginx/1.16.1</center>
</body>
</html>

直接使用 openssl s_client 命令就没这个问题。

9. 参考:

https://www.jianshu.com/p/2b2d1f511959?utm_campaign=haruki

http://blog.808inorganic.com/2017/01/using-openssl-sserver-and-openssl.html

https://www.jianshu.com/p/cc6b804a4d80

windows 下 nginx 双向认证自签名证书配置相关推荐

  1. win centos php语法,linux(centos5.5)/windows下nginx开启phpinfo模式功能的配置方法分享

    经过志文工作室测试有效的相关配置主要内容如下: location ~ \.php(.*)$ { fastcgi_pass   unix:/tmp/php-cgi.sock; fastcgi_index ...

  2. Windows下Nginx+Tomcat整合的安装与配置

    2019独角兽企业重金招聘Python工程师标准>>> 相信很多人都听过nginx,这个小巧的东西慢慢地在吞食apache和IIS的份额.那究竟它有什么作用呢?可能很多人未必了解. ...

  3. Windows下Nginx的启动、停止等基本命令

    2019独角兽企业重金招聘Python工程师标准>>> Windows下Nginx的启动.停止等命令 在Windows下使用Nginx,我们需要掌握一些基本的操作命令,比如:启动.停 ...

  4. Windows下nginx的安装及使用方法入门

    Windows下Nginx的安装及使用方法入门 nginx功能之一可以启动一个本地服务器,通过配置server_name和root目录等来访问目标文件 一. 下载 官网地址:http://nginx. ...

  5. Windows下nginx配置python服务器

    Windows下nginx配置python服务器 Windows下nginx配置python服务器 安装python 安装flup包 创建Python server 配置nginxconf 启动ngi ...

  6. windows下Nginx相关命令

    windows下Nginx相关命令 windows下Nginx相关命令 查看Nginx的版本号 启动Nginx 快速停止或关闭Nginx 正常停止或关闭Nginx: 配置文件修改重装载命令: 查看所有 ...

  7. Windows下nginx的启动,重启,停止命令

    Windows下nginx的启动,重启,停止命令 打开cmd命令窗口,切换到nginx目录下,输入命令 nginx.exe 或者 start nginx ,回车即可(启动nginx) nginx -s ...

  8. Windows下Nginx的启动、停止等命令

    Windows下Nginx的启动.停止等命令 在Windows下使用Nginx,我们需要掌握一些基本的操作命令,比如:启动.停止Nginx服务,重新载入Nginx等,下面我就进行一些简单的介绍. 假设 ...

  9. ios https 单项认证 双向认证 以及服务端配置

    单项认证:客户端APP包里保存一份证书 用于校验服务端证书是否合法 双向认证:单项认证以外,   客户端(不是app,这里指系统)要拥有一份证书 用于传给服务端用于校验客户端证书是否合法 分两方面讲解 ...

最新文章

  1. 阿里内核月报2015年03月
  2. 语音信号的分帧加窗的matlab实现
  3. buu password
  4. kaggle中的MAP理解
  5. wxWidgets:exec 示例演示 wxExecute 和相关函数
  6. tcppwebbrower 关闭安全警报_【安全常识】燃气泄漏报警器,您的安全保护神!
  7. Android Service 的一些笔记
  8. uploadify插件html5,免费的HTML5版uploadify送上
  9. UEFI下windows启动过程
  10. Codeforces #105 DIV2 ABCDE
  11. oracle 的自增需要依靠序列和触发器共同实现
  12. python+sklearn利用特征文件来训练和测试模型并使用joblib方法持久化存储模型
  13. 如何解决jsp中文乱码的问题
  14. 异常信息:Unable to update index for aliyun|http://maven.aliyun.com/nexus/content/groups/public/ 解决方法
  15. docker配置国内加速器的两种方法
  16. 两个cgi的莫名其妙的core dump问题的解决
  17. 苹果 CEO 为什么选中了何同学?
  18. 11个趣味段子,个个蕴含深刻哲理!
  19. DirectX11入门篇
  20. Android学习笔记(4)——探究碎片

热门文章

  1. 5 打印选课学生名单 (25分)
  2. 解决 Python 报错SyntaxError: Missing parentheses in call to 'print'
  3. win10蓝屏提示重新启动_关于网传0x000000F4蓝屏的临时分析解答
  4. mac tableau 安装mysql驱动
  5. C语言机器人视觉系统原理,机器人视觉系统的组成及工作原理
  6. python实现图像的白平衡,破坏图像的白平衡(冷、暖)和调节图像的亮度
  7. Android av sync机制
  8. 阿里大数据ACP认证对找工作到底有用嘛?
  9. Win11WSA无法启动的解决办法
  10. WDN302国产化网络存储控制模块