SSL/TLS深度解析--在Nginx上配置证书链及多域名证书

生成私钥与自签根证书(这次使用aes256加密,密码是redhat)

# 进行简单处理
[[email protected] ~]# cd /usr/local/openssl/
[[email protected] openssl]# mkdir root-CA sub-CA
[[email protected] openssl]# cp -rf CA/* root-CA/
[[email protected] root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/*
[[email protected] root-CA]# > crl.pem
[[email protected] root-CA]# > index.txt
[[email protected] root-CA]# openssl rand -hex 16 > crlnumber
[[email protected] root-CA]# openssl rand -hex 16 > serial

[[email protected] root-CA]# vim root-ca.cnf
[default]
name = root-ca
domain_suffix = a-company.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9080
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName = "CN"
organizationName = "A-company"
commonName = "root-CA"

[ca_default]
home = /usr/local/openssl/root-CA/
database = $home/index.txt
serial = $home/serial
crlnumber = $home/crlnumber
certificate = $home/root_cacert.crt
private_key = $home/private/root_cakey_ecdsa.pem
#RANDFILE = $home/private/random
new_certs_dir = $home/newcerts
unique_subject = no
copy_extensions = none
default_days = 3650
default_crl_days = 60
default_md = sha384
policy = policy_rootCA_match

[policy_rootCA_match]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
req_extensions = ca_ext

[ca_ext]
basicConstraints = critical,CA:true
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash

[subca_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:true,pathlen:0
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,keyCertSign,cRLSign
nameConstraints = @name_constraints
subjectKeyIdentifier = hash

[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url

[name_constraints]
permitted;DNS.0=test05.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[[email protected] root-CA]# mkdir test
[[email protected] root-CA]# cd test
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out root_cakey_ecdsa.pem
[[email protected] test]# ll
总用量 4
-rw-------. 1 root root 302 11月 24 23:12 root_cakey_ecdsa.pem
[[email protected] test]# openssl ec -aes256 -in root_cakey_ecdsa.pem -out root_cakey_ecdsa.pem
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
[[email protected] test]# ll
总用量 4
-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem
[[email protected] test]# openssl req -new -x509 -sha384 -config /usr/local/openssl/root-CA/root-ca.cnf  -extensions ca_ext  -key root_cakey_ecdsa.pem -out  root_cacert.crt -days 3650 -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=rootca/CN=rootCA/[email protected]
Enter pass phrase for root_cakey_ecdsa.pem:
[[email protected] test]# ll
总用量 8
-rw-r--r--. 1 root root 859 11月 24 23:26 root_cacert.crt
-rw-------. 1 root root 314 11月 24 23:13 root_cakey_ecdsa.pem
[[email protected] test]# mv root_cacert.crt ../
[[email protected] test]# mv root_cakey_ecdsa.pem ../private/
#查看根证书
[[email protected] root-CA]# openssl x509 -in root_cacert.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            0f:b1:e8:38:74:1f:2a:2a:fd:8b:cf:b5:27:c0:20:51:a8:54:ad:ce
        Signature Algorithm: ecdsa-with-SHA384
        Issuer: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = [email protected]
        Validity
            Not Before: Nov 24 15:26:12 2018 GMT
            Not After : Nov 21 15:26:12 2028 GMT
        Subject: C = CN, ST = BeiJing, L = BeiJing, O = A_company, OU = rootca, CN = rootCA, emailAddress = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:cc:8f:71:cc:11:fe:bb:a9:b0:86:b7:8f:50:89:
                    3c:65:63:ed:ee:37:4b:6e:3b:e3:d6:77:51:a7:15:
                    be:99:70:ea:45:0f:e3:46:53:dd:46:2d:8d:4b:57:
                    31:5b:30:e8:91:47:b2:41:a7:54:c8:44:f6:75:37:
                    a3:29:ac:81:ea
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02
    Signature Algorithm: ecdsa-with-SHA384
         30:45:02:21:00:ac:7f:fb:04:23:ea:c7:77:eb:e8:d3:a4:16:
         a6:f7:9a:6a:ee:d1:ce:9c:4e:16:ec:2b:dd:86:4e:56:af:2d:
         cd:02:20:5f:a1:3b:d1:50:a8:4a:30:05:ed:59:1e:1e:99:68:
         d4:92:af:19:d5:a1:46:e5:ad:4b:d2:f4:0a:dd:89:5d:4d
-----BEGIN CERTIFICATE-----
MIICTjCCAfSgAwIBAgIUD7HoOHQfKir9i8+1J8AgUahUrc4wCgYIKoZIzj0EAwMw
gYQxCzAJBgNVBAYTAkNOMRAwDgYDVQQIDAdCZWlKaW5nMRAwDgYDVQQHDAdCZWlK
aW5nMRIwEAYDVQQKDAlBX2NvbXBhbnkxDzANBgNVBAsMBnJvb3RjYTEPMA0GA1UE
AwwGcm9vdENBMRswGQYJKoZIhvcNAQkBFgxhZG1AdGVzdC5jb20wHhcNMTgxMTI0
MTUyNjEyWhcNMjgxMTIxMTUyNjEyWjCBhDELMAkGA1UEBhMCQ04xEDAOBgNVBAgM
B0JlaUppbmcxEDAOBgNVBAcMB0JlaUppbmcxEjAQBgNVBAoMCUFfY29tcGFueTEP
MA0GA1UECwwGcm9vdGNhMQ8wDQYDVQQDDAZyb290Q0ExGzAZBgkqhkiG9w0BCQEW
DGFkbUB0ZXN0LmNvbTBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABMyPccwR/rup
sIa3j1CJPGVj7e43S24749Z3UacVvplw6kUP40ZT3UYtjUtXMVsw6JFHskGnVMhE
9nU3oymsgeqjQjBAMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMB0G
A1UdDgQWBBR2eRRGt3zliuhHd/W2K7MXvC0FAjAKBggqhkjOPQQDAwNIADBFAiEA
rH/7BCPqx3fr6NOkFqb3mmru0c6cThbsK92GTlavLc0CIF+hO9FQqEowBe1ZHh6Z
aN***xnVoUblrUvS9ArdiV1N
-----END CERTIFICATE-----


签发私有二级CA

[[email protected] openssl]# cp -rf root-CA/* sub-CA/
[[email protected] openssl]# cd sub-CA/
[[email protected] sub-CA]# rm -rf root-ca.cnf private/* root_cacert.crt
[[email protected] sub-CA]# vim sub-ca.cnf
[default]
name = sub-ca
domain_suffix = a-company.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align

[ca_dn]
countryName = "CN"
organizationName = "A-company"
commonName = "sub-CA"

[ca_default]
home = /usr/local/openssl/sub-CA
database = $home/index.txt
serial = $home/serial
crlnumber = $home/crlnumber
certificate = $home/second_cacert.crt
private_key = $home/private/second_cakey_ecdsa.pem
#RANDFILE = $home/private/random
new_certs_dir = $home/newcerts
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_subCA_match

[policy_subCA_match]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional

[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
#req_extensions = ca_ext

[crl_info]
URI.0 = $crl_url

[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url

[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash

[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash

[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash

[[email protected] sub-CA]# cd test
# 生成二级CA私钥
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out second_cakey_ecdsa.pem
# AES256加密(密码redhat)
[[email protected] test]# openssl ec -aes256 -in second_cakey_ecdsa.pem -out second_cakey_ecdsa.pem
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成二级CA的证书申请
[[email protected] test]# openssl req -new -config /usr/local/openssl/sub-CA/sub-ca.cnf -key second_cakey_ecdsa.pem -out second_cacert.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/[email protected]
Enter pass phrase for second_cakey_ecdsa.pem:
# 使用根证书签署二级CA证书
[[email protected] test]# openssl ca -config /usr/local/openssl/root-CA/root-ca.cnf -extensions subca_ext -days 730 -in second_cacert.csr -out second_cacert.crt -batch -notext
Using configuration from /usr/local/openssl/root-CA/root-ca.cnf
Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad
        Issuer:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = rootca
            commonName                = rootCA
            emailAddress              = [email protected]
        Validity
            Not Before: Nov 28 13:18:46 2018 GMT
            Not After : Nov 27 13:18:46 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = subca
            commonName                = sub01_CA
            emailAddress              = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c:
                    18:c1:9b:31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9:
                    df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0:
                    7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76:
                    97:56:c3:2c:e4
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://root-ca.a-company.com/root-ca.crt
                OCSP - URI:http://ocsp.root-ca.a-company.com:9080

            X509v3 Authority Key Identifier:
                keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02

            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://root-ca.a-company.com/root-ca.crl

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Name Constraints:
                Permitted:
                  DNS:test05.com
                  DNS:test.org
                Excluded:
                  IP:0.0.0.0/0.0.0.0
                  IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

            X509v3 Subject Key Identifier:
                9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94
Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days)

Write out database with 1 new entries
Data Base Updated

[[email protected] test]# mv second_cakey_ecdsa.pem ../private/
[[email protected] test]# mv second_cacert.crt  ../

使用二级CA签发服务器端证书

# 生成私钥和申请(注意这里没加密私钥)
[[email protected] test]# openssl  ecparam -genkey -name prime256v1  -out server_ecdsa.key
[[email protected] test]# openssl  req -new -key server_ecdsa.key -config ../sub-ca.cnf   -out server.csr  -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server/CN=www.test05.com/[email protected]
[[email protected] test]# openssl ca -config ../sub-ca.cnf -in server.csr -out server.crt -extensions server_ext -batch -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad
        Issuer:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = subca
            commonName                = sub01_CA
            emailAddress              = [email protected]
        Validity
            Not Before: Nov 28 13:40:52 2018 GMT
            Not After : Nov 28 13:40:52 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = server
            commonName                = www.test05.com
            emailAddress              = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee:
                    41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8:
                    ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a:
                    3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd:
                    72:08:f5:7c:00
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
                OCSP - URI:http://ocsp.sub-ca.a-company.com:9081

            X509v3 Authority Key Identifier:
                keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://sub-ca.a-company.com/sub-ca.crl

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4B
Certificate is to be certified until Nov 28 13:40:52 2019 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

使用server.crt 与 second_cacert.crt 合成一个证书链

# 要注意顺序,服务器端的证书是放在第一个,二级CA的证书在其后面;如果还有一层三级CA,那么是先追加三级CA证书,再追加二级CA证书。
[[email protected] test]# cat server.crt ../second_cacert.crt > chain.crt
[[email protected] test]# ll chain.crt
-rw-r--r--. 1 root root 2534 11月 28 21:50 chain.crt
[[email protected] test]# cp chain.crt server_ecdsa.key /project/nginx1.15.0/conf/certs/
[[email protected] test]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
......
server_name  www.linuxplus.com www.test05.com;
ssl_certificate      certs/chain.crt;
ssl_certificate_key  certs/server_ecdsa.key;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload
[[email protected] ~]# cd /usr/local/openssl/root-CA
[[email protected] root-CA]# sz -y root_cacert.crt


使用二级CA签发客户端证书

[[email protected] ~]# cd /usr/local/openssl/sub-CA/test/
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out client01_ecdsa.key
# 生成申请
[[email protected] test]# openssl req -new -key client01_ecdsa.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=www.test05.com/[email protected]
# 签发客户端证书
[[email protected] test]# openssl ca -config ../sub-ca.cnf -days 60 -in client01.csr -out client01.crt -extensions client_ext -batch -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae
        Issuer:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = subca
            commonName                = sub01_CA
            emailAddress              = [email protected]
        Validity
            Not Before: Nov 30 15:17:31 2018 GMT
            Not After : Jan 29 15:17:31 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = client01
            commonName                = www.test05.com
            emailAddress              = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8:62:
                    72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba:
                    d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe:
                    e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37:d5:
                    ec:d4:b6:56:2a
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
                OCSP - URI:http://ocsp.sub-ca.a-company.com:9081

            X509v3 Authority Key Identifier:
                keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://sub-ca.a-company.com/sub-ca.crl

            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Subject Key Identifier:
                29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9E
Certificate is to be certified until Jan 29 15:17:31 2019 GMT (60 days)

Write out database with 1 new entries
Data Base Updated
# 格式转换成pkcs12
[[email protected] test]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01.crt -inkey client01_ecdsa.key -out client01.p12
[[email protected] test]# cd ..
[[email protected] sub-CA]# openssl ca -config sub-ca.cnf -gencrl -out crl.pem
Using configuration from sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
[[email protected] test]# cd
[[email protected] ~]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
# 开启客户端身份验证
ssl_verify_client on;
# 指定客户端证书到根证书的深度
ssl_verify_depth 2;
# 指定签发客户端证书的CA证书
ssl_client_certificate /usr/local/openssl/sub-CA/second_cacert.crt;
# 完整证书链中需要包含的其他CA证书
ssl_trusted_certificate /usr/local/openssl/root-CA/root_cacert.crt;
# 证书吊销列表,有更新时Nginx需要重新加载
ssl_crl /usr/local/openssl/sub-CA/crl.pem;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload

注意:

在nginx配置文件那里开启客户端证书验证,将证书安装在客户端就可以正常访问站点。

nginx中的 ssl_crl 这个配置要注意,如果是使用二级CA签署的crl与客户端证书 ,那么ssl_crl 也必须包含根证书签的 crl 列表,与证书链的概念类似, ssl_client_certificate 配置可以是证书链也可以是二级CA(如果只配置二级CA的话 ssl_trusted_certificate 要配置根证书)。

cat ..xx/sub-ca/crl.pem ..xx/root-CA/crl.pem > crl_chain.pem

ssl_crl ....xx/xx/crl_chain.pem;

[[email protected] sub-CA]# cd ..
[[email protected] openssl]# cd root-CA/
[[email protected] root-CA]# openssl ca -config root-ca.cnf -gencrl -out crl.pem
Using configuration from root-ca.cnf
Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:
[[email protected] root-CA]# cd ..
[[email protected] openssl]# cd sub-CA/
[[email protected] sub-CA]# cat crl.pem ../root-CA/crl.pem > crl_chain.pem
# 修改Nginx配置
# 证书吊销列表,有更新时Nginx需要重新加载
ssl_crl /usr/local/openssl/sub-CA/crl_chain.pem;

多域名证书与泛域名证书

  • 多域名

[[email protected] ~]# cd /usr/local/openssl/sub-CA/
[[email protected] sub-CA]# vim sub-ca.cnf
......
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
#req_extensions = ca_ext
req_extensions = dns_ext     #修改内容

#增加内容
[ dns_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.0=list.test05.com
DNS.1=login.test05.com
DNS.2=admin.test05.com
......
[[email protected] sub-CA]# cd test
# 生成私钥
[[email protected] test]# openssl ecparam -name prime256v1 -genkey -out server01_ecdsa.key
[[email protected] test]# openssl req -new -config ../sub-ca.cnf -key server01_ecdsa.key -out server01.csr  -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server01/CN=server01_multi/[email protected]
# 使用二级CA签署多域名证书
[[email protected] test]# openssl ca   -config ../sub-ca.cnf -in server01.csr  -out server01.crt  -extensions server_ext  -batch  -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af
        Issuer:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = subca
            commonName                = sub01_CA
            emailAddress              = [email protected]
        Validity
            Not Before: Dec  1 06:38:21 2018 GMT
            Not After : Dec  1 06:38:21 2019 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = BeiJing
            localityName              = BeiJing
            organizationName          = A_company
            organizationalUnitName    = server01
            commonName                = server01_multi
            emailAddress              = [email protected]
        Subject Public Key Info:
            Public Key Algorithm: id-ecPublicKey
                Public-Key: (256 bit)
                pub:
                    04:7f:67:e9:70:07:08:0f:0d:0b:a9:46:03:db:35:
                    16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce:
                    55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24:
                    07:da:7b:46:64:25:21:03:a3:d3:3f:7d:30:24:da:
                    d5:e2:76:40:5e
                ASN1 OID: prime256v1
                NIST CURVE: P-256
        X509v3 extensions:
            Authority Information Access:
                CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
                OCSP - URI:http://ocsp.sub-ca.a-company.com:9081

            X509v3 Authority Key Identifier:
                keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94

            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://sub-ca.a-company.com/sub-ca.crl

            X509v3 Extended Key Usage:
                TLS Web Client Authentication, TLS Web Server Authentication
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Subject Key Identifier:
                86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6
            X509v3 Subject Alternative Name:
                DNS:list.test05.com, DNS:login.test05.com, DNS:admin.test05.com
Certificate is to be certified until Dec  1 06:38:21 2019 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
[[email protected] test]# cat server01.crt ../second_cacert.crt > chain2.crt
[[email protected] test]# cp chain2.crt server01_ecdsa.key /project/nginx1.15.0/conf/certs/
[[email protected] ~]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
......
server_name  *.test05.com;
ssl_certificate      certs/chain2.crt;
ssl_certificate_key  certs/server01_ecdsa.key;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload





- 数据库文件 index.txt 说明

[[email protected] CA]# cat index.txt
V       190901132740Z           92F43BDFF9AC3B5CAA3189D661C69AFA        unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/[email protected]
V       191110141723Z           92F43BDFF9AC3B5CAA3189D661C69AFB        unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=www.linuxplus01.com/[email protected]
V       191110143215Z           92F43BDFF9AC3B5CAA3189D661C69AFC        unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/[email protected]
R       191111060653Z   181111142637Z   92F43BDFF9AC3B5CAA3189D661C69AFD        unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/[email protected]
V       191111140018Z           92F43BDFF9AC3B5CAA3189D661C69AFE        unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/[email protected]

每一行包括6个以制表符分隔的值

(1) 状态标记: V 表示有效 valid, R 表示已吊销 revoked, E 表示已过期 expired

(2) 过期时间(以 YYMMDDHHMMSSZ 格式表示)

(3) 吊销日期,如果没有被吊销则为空

(4) 序列号(十六进制)

(5) 文件路径(如果不知道就显示 unknown )

(6) subject (所有者)

  • 名称约束

    在根证书配置文件里有一个名称约束 nameConstraints nameConstraints = @name_constraints 名称约束,表示签发的二级CA所签发的证书的CN要符合名称约束的规则, permitted;DNS.0=test05.com 表示所签署的证书的CN 要符合 xxxxtest05.com,例如 www.test05.com 或 abc.test05.com ,而不能是 test05.com.xxx 。也不能使用通配符 ; 如果名称约束是 .test05.com , 那么 www.test05.com 也是不行的;而www.*.test05.com 是可以的,也就是CN的后面必须是名称约束所给定的字符串。

    如果是签发客户端证书,名称约束不是非要使用域名,可以自定义一个字符串,例如 cli-admin.a.company 等。

    如果是给服务器端签发证书,就要注意签发的证书要在名称约束以内,并且是域名的格式。

    [name_constraints]

    permitted;DNS.0=test05.com

    permitted;DNS.1=test.org

    excluded;IP.0=0.0.0.0/0.0.0.0

    excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0

原文地址:http://blog.51cto.com/stuart/2328316

时间: 2024-11-08 02:15:39

SSL/TLS深度解析--在Nginx上配置证书链及多域名证书的相关文章

SSL/TLS深度解析--在 Nginx上配置 HSTS、CSP 与其他

在 Nginx 上配置 HSTS HTTP响应中包含 Strict-Transport-Security 头实现网站HSTS,像下面这样配置: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload,就实现了HSTS,即-- HTTP Strict Transport Security,HTTP严格传输安全.假设TLS连接没有错误,兼容的浏览器将会在 max-age 参数指定的保留期内激活HSTS. 一旦站点

SSL/TLS深度解析--在 Nginx 上部署 TLS

利用 openssl 源代码安装 Nginx [[email protected] software]# tar xf nginx-1.15.5.tar.gz [[email protected] software]# cd nginx-1.15.5/ [[email protected] nginx-1.15.5]# groupadd nginx [[email protected] nginx-1.15.5]# useradd nginx -M -s /sbin/nologin -g ngi

SSL/TLS深度解析--OpenSSL 生成自签证书

密钥算法 OpenSSL 支持 RSA.DSA 和 ECDSA 密钥,但是在实际场景中只是用 RSA 和 ECDSA 密钥.例如 Web 服务器的密钥,都使用RSA或ECDSA,因为DSA效率问题会限制在1024位(相对旧版本浏览器不支持更长的DSA密钥),ECDSA还没有全面范围的普及.比如SSH,一般都是使用DSA和RSA,而不是所有的客户端(不只是浏览器)都支持ECDSA算法. 密钥长度 默认的密钥长度一般都不够安全,老版本的 OpenSSL 默认 RSA 私钥是1024位,所以我们需要指

SSL/TLS深度解析--测试TLS/SSL加密

项目地址 https://github.com/drwetter/testssl.sh testssl.sh 是一个免费且开源的功能丰富的命令行工具,用于在 Linux/BSD 服务器上检查支持加密,协议和一些加密缺陷的支持 TLS/SSL 加密的服务. testssl git clone --depth 1 --branch 2.9.5 https://github.com/drwetter/testssl.sh.git 错误 Fatal error: Neither "dig",

SSL/TLS深度解析--OpenSSL的基本使用

摘要算法 [[email protected] ~]# openssl dgst -help #默认sha256 Usage: dgst [options] [file...] file... files to digest (default is stdin) -help Display this summary -c Print the digest with separating colons -r Print the digest in coreutils format -out out

SSL/TLS深度解析--OpenSSL s_client测试子命令

#下载第三方的最新的PEM(privacy-enhanced mail)格式的可信证书库 [[email protected] ~]# wget --no-check-certificate https://curl.haxx.se/ca/cacert.pem 使用s_client 命令进行测试 [[email protected] ~]# openssl s_client -CAfile /root/cacert.pem -connect www.baidu.com:443 -msg CONN

aliyun 主机Nginx 上配置Drupal 伪静态

网上找了好久没有正确的,后面直接在http://wiki.nginx.org/Drupal 上找到原文,但原文中复制过来会出现个 'root' rewrite directive is duplicate 错误和 server 第一列的错误. 对比aliyun上的预先设定的rewrite 发现它们都没有server {} 这个名,并且这个位置也在nginx -t 时报错了. 注释了报错的位置,删除了不适用于drupal 7下面的配置. /alidata/server/nginx/sbin/ngi

在Linux上配置xampp后远程访问域名报错

在Linux上配置xampp后远程访问域名报错: New XAMPP security concept: Access to the requested object is only available from the local network. This setting can be configured in the file "httpd-xampp.conf". 初步分析了一下错误原因是:安全异常,需要修改httpd-xampp.conf.这个文件在:/opt/lampp/

或许是 Nginx 上配置 HTTP2 最实在的教程了

导读 从 2015 年 5 月 14 日 HTTP/2 协议正式版的发布到现在已经快有一年了,越来越多的网站部署了 HTTP2,HTTP2 的广泛应用带来了更好的浏览体验,只要是 Modern 浏览器都支持,所以部署 HTTP2 并不会带来太多困扰. 虽然 h2 有 h2c (HTTP/2 Cleartext) 可以通过非加密通道传输,但是支持的浏览器初期还是比较少的,所以目前部署 h2 还是需要走加密的,不过由于 Let’s Encrypt 大力推行免费证书和证书的廉价化,部署 h2 的成本并