Nginx configures Https two-way authentication

1. CA

1. Generate a CA private key

   openssl genrsa -aes256 -out ca-key.pem 4096
   Copy the code

2. Generating a CA Certificate

   openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem
   Copy the code

2. Server

1. Generate a Server private key

   openssl genrsa -out server-key.pem 4096
   Copy the code

2. Generate Server Certificate Signing Request File (CSR)

   openssl req -sha256 -new -key server-key.pem -out server.csr
   Copy the code

3. Generating a Server Certificate

   The difference between CN and SAN is as follows: http://tny.im/YwjYk) echo subjectAltName = IP: 192.168.200.135, IP: 127.0.0.1 > > extfile. Echo CNF # specify additional purposes Openssl x509 -req -days 365 -sha256 -in server.csr -ca ca.pem -cakey  ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnfCopy the code

3. Client

1. Generate a Client private key

   openssl genrsa -out key.pem 4096
   Copy the code

2. Generate Client certificate signing Request File (CSR)

   openssl req -new -key key.pem -out client.csr
   Copy the code

3. Generating a Client Certificate

   Echo extendedKeyUsage = clientAuth > extfile-client. CNF # Generate certificate openssl x509 -req -days 365-sha256-in Client.csr-ca ca.pem -cakey ca-key.pem \ -cacreateserial -out cert.pem -extfile extfile-client.cnf # Convert PKCS certificate (The certificate and key are stored in the same file.) openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12Copy the code

4. Nginx configuration

server { listen 443 ssl; server_name localhost; # open server authentication ssl_certificate /work/ssl/vue3-admin/server-csr.pem; ssl_certificate_key /work/ssl/vue3-admin/server-key.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; # optimization ssl_session_cache shared:SSL:10m; # 1m: 4000 session ssl_session_timeout 1m; Ssl_client_certificate /work/ SSL /vue3-admin/ca.pem; ssl_verify_client on; location / { root /work/web/vue3-admin/; index index.html index.htm; }}Copy the code

5. Access

1. The browser

   Pem # 2. Certmgr. MSC Imports the personal certificate cert.p12Copy the code

2. The command line

   curl https://xxxxx/index.html \
   --cacert ./ca.pem \
   --cert ./cert.pem \
   --key ./key.pem
   Copy the code