问题描述
我想在我的服务器和多个客户端上使用 mTLS 功能。因此,服务器将使用其证书验证每个客户端。每个客户端将他的证书发送到服务器,服务器对其进行验证,然后他们就可以进行通信了。
因此,我使用 OpenSSL 创建了一个 CA
一个 Server Certificate
和两个 Client Certficates
。我已经设置了实时服务器并设置了 DNS 并使用 CA 在其上应用了该服务器证书。我在我的本地机器上设置了两个虚拟主机,它们用他们的客户端证书代理我的实时服务器。因此,当我调用那些本地虚拟主机时,它们会返回 502 Bad Gateway
错误。
这是我的服务器 Nginx 配置
server {
listen *:443;
ssl on;
server_name ssl2way.cowlar.com;
ssl_certificate /etc/Nginx/ssl2way/server.crt;
ssl_certificate_key /etc/Nginx/ssl2way/server.key;
ssl_client_certificate /etc/Nginx/ssl2way/ca.crt;
ssl_verify_client on;
ssl_crl /etc/Nginx/ssl2way/crl.pem;
proxy_ssl_server_name on;
ssl_verify_depth 2;
ssl_prefer_server_ciphers on;
keepalive_timeout 10;
ssl_session_timeout 5m;
location / {
root /usr/share/Nginx/html;
index index.html index.htm;
}
}
这是我的本地虚拟主机客户端配置
Client1
server {
listen 80;
listen [::]:80;
server_name cowlarc1.local;
location / {
proxy_pass https://ssl2way.cowlar.com/;
proxy_ssl_certificate /etc/Nginx/certs/client.crt;
proxy_ssl_certificate_key /etc/Nginx/certs/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/Nginx/certs/ca.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
try_files $uri $uri/ =404;
}
}
Client2
server {
listen 80;
listen [::]:80;
server_name cowlarc2.local;
location / {
proxy_pass https://ssl2way.cowlar.com/;
proxy_ssl_certificate /etc/Nginx/certs/client2.crt;
proxy_ssl_certificate_key /etc/Nginx/certs/client2.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_trusted_certificate /etc/Nginx/certs/ca.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;
proxy_ssl_session_reuse on;
try_files $uri $uri/ =404;
}
}
通过此链接,我正在创建我的证书 https://www.integralist.co.uk/posts/client-cert-authentication/
这是我的 OpenSSL 配置文件
#
# OpenSSL configuration file.
#
# Establish working directory.
dir = .
[ ca ]
default_ca = CA_default
[ CA_default ]
serial = $dir/serial
database = $dir/certindex.txt
new_certs_dir = $dir/
certificate = $dir/ca.crt
private_key = $dir/ca.key
default_days = 365
default_md = sha256
default_crl_days = 30
preserve = no
email_in_dn = yes
nameopt = default_ca
certopt = default_ca
policy = policy_match
crl_dir = $dir/
crlnumber = $crl_dir/crlnumber
crl_extensions = crl_ext
x509_extensions = usr_cert
copy_extensions = copy
[ policy_match ]
countryName = match # Must be the same as the CA
stateOrProvinceName = optional # not required
organizationName = optional # not required
organizationalUnitName = optional # not required
commonName = supplied # must be there,whatever it is
emailAddress = supplied # must be there,whatever it is
[ crl_ext ]
authorityKeyIdentifier = keyid:always,issuer:always
[ usr_cert ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
#crldistributionPoints = URI:http://ssl2way.com/ca/crl.pem # this should be updated to be unique to the CA
[ req ]
default_bits = 4096 # Size of keys
default_keyfile = key.pem # name of generated keys
default_md = sha256 # message digest algorithm
string_mask = nombstr # permitted characters
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
# Variable name Prompt string
#------------------------- ----------------------------------
0.organizationName = Organization Name (company)
organizationalUnitName = Organizational Unit Name (department,division)
emailAddress = Email Address
emailAddress_max = 40
localityName = Locality Name (city,district)
stateOrProvinceName = State or Province Name (full name)
countryName = Country Name (2 letter code)
countryName_min = 2
countryName_max = 2
commonName = Common Name (hostname,IP,or your name)
commonName_max = 64
# Default values for the above,for consistency and less typing.
# Variable name Value
#------------------------ ------------------------------
0.organizationName_default = Cowlar
localityName_default = My Town
stateOrProvinceName_default = State or Providence
countryName_default = PK
[ v3_ca ]
basicConstraints = CA:TRUE
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[ v3_req ]
basicConstraints = CA:FALSE
subjectKeyIdentifier = hash
任何帮助将不胜感激,将不胜感激。
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)