https中的SSL通信

2018年07月06日

https通信过程

CA证书与PKI

AD域控

SSL的服务器客户端双向认证

CA:

# 私钥
openssl genrsa -out ca.key 2048
# 公钥
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt 服务端:

# 私钥
openssl genrsa -out server.pem 1024
openssl rsa -in server.pem -out server.key
# 签发请求
openssl req -new -key server.pem -out server.csr
# 用CA签发
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

浏览器报信任错误时: www.anyname.com.cn

客户端

# 私钥
openssl genrsa -out client.pem 1024
openssl rsa -in client.pem -out client.key
# 签发请求
openssl req -new -key client.pem -out client.csr
# 用CA签发
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt 生成浏览器p12证书:
   
openssl pkcs12 -export -clcerts -in ./client.crt -inkey ./client.key -out ./client.p12

nginx配置:

server{
    listen       10443 ssl; # https listen port
    server_name  117.78.43.39;

    ssl_certificate      /root/cqq/server.crt;
    ssl_certificate_key  /root/cqq/server.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    ssl_client_certificate /root/cqq/client.crt;
    ssl_verify_client on;

    location /push {
        echo "hello world";
    }
}

验证:

curl -k –key ./client.key –cert ./client.crt https://ca.justpic.org:10443/push

更安全的认证

多因子认证?

参考:
nginx配置https单向、双向认证
openssl certificate authority


关注公众号获取更多内容

期待您的分享与讨论: