https官网证书加自制证书nginx实现双向认证

1.openssl自制证书

备注：O=公司名称 OU=公司名称

①生成根证书

openssl genrsa -out ca-key.pem 1024

openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=CA"

 openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650

openssl x509 -req -in ca-req.csr -out ca-cert.cer -signkey ca-key.pem -CAcreateserial -days 3650

②生成服务器证书

openssl genrsa -out server-key.pem 1024

openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=xx.com"

备注：CN=域名

openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

openssl verify -CAfile ca-cert.pem server-cert.pem

③生成客户端证书
openssl genrsa -out client-key.pem 1024

openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=SZ/L=SZ/O=gongsi/OU=gongsi/CN=xx.com"

备注：CN=域名

openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650

openssl x509 -req -in client-req.csr -out client-cert.cer -signkey client-key.pem -CA ca-cert.cer -CAkey ca-key.pem -CAcreateserial -days 3650

openssl verify -CAfile ca-cert.pem client-cert.pem

④导出客户端证书（用户浏览器导入）

openssl pkcs12 -export -clcerts -in client-cert.cer -inkey client-key.pem -out client.p12

2.nginx配置

# HTTPS server
#
server {
　　listen 443 ssl;
　　server_name xx.com;

　　ssl_certificate /home/opt/ssl/3150613_xx.pem;#官网颁发
　　ssl_certificate_key /home/opt/ssl/3150613_xx.key;#官网颁发
　　ssl_client_certificate /home/opt/ht/ca-cert.pem; #自制根级证书公钥
　　ssl_verify_client on; #开启客户端证书验证

　　ssl_session_cache shared:SSL:1m;
　　ssl_session_timeout 5m;

　　ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
　　ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #使用该协议进行配置。
　　ssl_prefer_server_ciphers on;

　　location /
　　{
　　　　proxy_redirect off;
　　　　proxy_set_header Host $http_host;
　　　　proxy_set_header X-Real-IP $remote_addr;
　　　　proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
　　　　proxy_set_header X-Forwarded-Proto $scheme;
　　　　proxy_pass http://webUpstream;

　　}

}