生成证书
# 生成ca私钥 openssl genrsa -out ca.key 4096 # 生成ca证书 openssl req -new -x509 -days 3650 -key ca.key -out ca.crt # 生成服务端私钥 openssl genrsa -out server.key 4096 # 服务端证书请求 openssl req -new -key server.key -out server.csr # ca签发服务端证书 openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 # 生成客户端私钥 openssl genrsa -out client.key 4096 # 客户端证书请求 openssl req -new -key client.key -out client.csr # 签发客户端证书 openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 3650 # 验证证书状态 openssl verify -verbose -CAfile ca.crt client.crt server.crt
nginx开启双向认证
server { listen 443 ssl; server_name ba-ssl.sample.com; ssl_certificate /etc/nginx/conf.d/ssl/client_bauth/server.crt; ssl_certificate_key /etc/nginx/conf.d/ssl/client_bauth/server.key; ssl_client_certificate /etc/nginx/conf.d/ssl/client_bauth/ca.crt; ssl_verify_client onq; location / { return 200 "ok"; } }
Curl测试
客户端证书文件:
暂时无法在飞书文档外展示此内容
确保curl版本不能低于 7.47版本,否则会出现:400 No required SSL certificate was sent
curl -v --cacert ca.crt --cert client.crt --key client.key https://xxx.sample.com
