first commit

2022-10-18 16:59:37 +08:00 · 2022-10-18 16:59:37 +08:00 · ba848e218d
commit ba848e218d
1001 changed files with 152333 additions and 0 deletions
--- a/linux基础/nginx/ssl双向认证.md
+++ b/linux基础/nginx/ssl双向认证.md
@ -0,0 +1,73 @@
+# 1、生成CA私钥
+```
+openssl genrsa -out ca.key 4096
+```
+# 2、生成CA证书请求
+```
+openssl req -new -key ca.key -out ca.csr
+```
+***ca的Common Name与其他证书不同，其他相同***
+> Country Name (2 letter code) [AU]: CN   # 国家名称
+State or Province Name (full name) [Some-State]: Hainan    # 省
+Locality Name (eg, city) []: Haikou  # 市
+Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd.  # 公司名称
+Organizational Unit Name (eg, section) []: Probe Institute  # 组织单位名称
+Common Name (e.g. server FQDN or YOUR name) []: probe.cc # ca与其他证书不同
+Email Address []:
+
+# 3、生成ca证书
+*ca证书有效期10年*
+```
+openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650
+```
+
+# 4、生成server私钥
+```
+openssl genrsa -out server.key 4096
+```
+# 5、生成server证书请求文件
+```
+openssl req -new -key server.key -out server.csr
+```
+> Country Name (2 letter code) [AU]: CN   # 国家名称
+State or Province Name (full name) [Some-State]: Hainan    # 省
+Locality Name (eg, city) []: Haikou  # 市
+Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd.  # 公司名称
+Organizational Unit Name (eg, section) []: Probe Institute  # 组织单位名称
+Common Name (e.g. server FQDN or YOUR name) []: api.probe.cc # 与ca不同,双向认证接口域名
+Email Address []:
+
+# 6、生成server证书
+*server证书有效期10年*
+```
+openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
+```
+
+# 7、生成p12格式证书
+```
+openssl pkcs12 –export –clcerts –in server.crt –inkey server.key –out server.p12
+```
+
+# 8、nginx 配置
+```
+server {
+        listen 443;
+        server_name api.probe.cc;
+        ssl on;
+        ssl_certificate /etc/nginx/keys/server.crt;#配置证书位置
+        ssl_certificate_key /etc/nginx/keys/server.key;#配置秘钥位置
+        ssl_client_certificate /etc/nginx/keys/ca.crt;#双向认证
+        ssl_verify_client on; #双向认证
+        ssl_session_timeout 5m;
+        ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
+        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #按照这个套件配置
+        ssl_prefer_server_ciphers on;
+        root html;
+        index index.html;
+        location / {
+                try_files $uri $uri/ =404;
+        }
+}
+```
+# 9、安装p12证书
+导出server.p12文件，并在浏览器安装。略