SSL/TLS深度解析--在Nginx上配置證書鏈及多域名證書
阿新 • • 發佈:2018-12-10
生成私鑰與自籤根證書(這次使用aes256加密,密碼是redhat)
# 進行簡單處理
[[email protected] ~]# cd /usr/local/openssl/
[[email protected] openssl]# mkdir root-CA sub-CA
[[email protected] openssl]# cp -rf CA/* root-CA/
[[email protected] root-CA]# rm -rf root_cacert_ecc.pem crlnumber.old index.txt.old index.txt.attr.old serial.old private/root_prikey_ecdsa.pem newcerts/*
[ 
簽發私有二級CA
[[email protected] openssl]# cp -rf root-CA/* sub-CA/
[[email protected] openssl]# cd sub-CA/
[[email protected] sub-CA]# rm -rf root-ca.cnf private/* root_cacert.crt
[[email protected] sub-CA]# vim sub-ca.cnf
[default]
name = sub-ca
domain_suffix = a-company.com
aia_url = http://$name.$domain_suffix/$name.crt
crl_url = http://$name.$domain_suffix/$name.crl
ocsp_url = http://ocsp.$name.$domain_suffix:9081
default_ca = ca_default
name_opt = utf8,esc_ctrl,multiline,lname,align
[ca_dn]
countryName = "CN"
organizationName = "A-company"
commonName = "sub-CA"
[ca_default]
home = /usr/local/openssl/sub-CA
database = $home/index.txt
serial = $home/serial
crlnumber = $home/crlnumber
certificate = $home/second_cacert.crt
private_key = $home/private/second_cakey_ecdsa.pem
#RANDFILE = $home/private/random
new_certs_dir = $home/newcerts
unique_subject = no
copy_extensions = copy
default_days = 365
default_crl_days = 30
default_md = sha256
policy = policy_subCA_match
[policy_subCA_match]
countryName = match
stateOrProvinceName = optional
localityName = optional
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
#req_extensions = ca_ext
[crl_info]
URI.0 = $crl_url
[issuer_info]
caIssuers;URI.0 = $aia_url
OCSP;URI.0 = $ocsp_url
[ocsp_ext]
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
extendedKeyUsage = OCSPSigning
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[server_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth,serverAuth
keyUsage = critical,digitalSignature,keyEncipherment
subjectKeyIdentifier = hash
[client_ext]
authorityInfoAccess = @issuer_info
authorityKeyIdentifier = keyid:always
basicConstraints = critical,CA:false
crlDistributionPoints = @crl_info
extendedKeyUsage = clientAuth
keyUsage = critical,digitalSignature
subjectKeyIdentifier = hash
[[email protected] sub-CA]# cd test
# 生成二級CA私鑰
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out second_cakey_ecdsa.pem
# AES256加密(密碼redhat)
[[email protected] test]# openssl ec -aes256 -in second_cakey_ecdsa.pem -out second_cakey_ecdsa.pem
read EC key
writing EC key
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
# 生成二級CA的證書申請
[[email protected] test]# openssl req -new -config /usr/local/openssl/sub-CA/sub-ca.cnf -key second_cakey_ecdsa.pem -out second_cacert.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=subca/CN=sub01_CA/[email protected]
Enter pass phrase for second_cakey_ecdsa.pem:
# 使用根證書籤署二級CA證書
[[email protected] test]# openssl ca -config /usr/local/openssl/root-CA/root-ca.cnf -extensions subca_ext -days 730 -in second_cacert.csr -out second_cacert.crt -batch -notext
Using configuration from /usr/local/openssl/root-CA/root-ca.cnf
Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad
Issuer:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = rootca
commonName = rootCA
emailAddress = [email protected]t.com
Validity
Not Before: Nov 28 13:18:46 2018 GMT
Not After : Nov 27 13:18:46 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = subca
commonName = sub01_CA
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:d7:e4:9d:be:12:50:5b:c4:05:c3:d5:e7:b9:7c:
18:c1:9b:31:a8:c2:8e:08:a7:4b:9c:62:02:25:f9:
df:dc:c1:74:64:0e:70:5d:74:22:2e:22:83:06:c0:
7a:70:5e:4b:d5:87:c7:c9:8a:3b:bb:bd:77:91:76:
97:56:c3:2c:e4
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://root-ca.a-company.com/root-ca.crt
OCSP - URI:http://ocsp.root-ca.a-company.com:9080
X509v3 Authority Key Identifier:
keyid:76:79:14:46:B7:7C:E5:8A:E8:47:77:F5:B6:2B:B3:17:BC:2D:05:02
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0
X509v3 CRL Distribution Points:
Full Name:
URI:http://root-ca.a-company.com/root-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Certificate Sign, CRL Sign
X509v3 Name Constraints:
Permitted:
DNS:test05.com
DNS:test.org
Excluded:
IP:0.0.0.0/0.0.0.0
IP:0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0
X509v3 Subject Key Identifier:
9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94
Certificate is to be certified until Nov 27 13:18:46 2020 GMT (730 days)
Write out database with 1 new entries
Data Base Updated
[[email protected] test]# mv second_cakey_ecdsa.pem ../private/
[[email protected] test]# mv second_cacert.crt ../
使用二級CA簽發伺服器端證書
# 生成私鑰和申請(注意這裡沒加密私鑰)
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out server_ecdsa.key
[[email protected] test]# openssl req -new -key server_ecdsa.key -config ../sub-ca.cnf -out server.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server/CN=www.test05.com/[email protected]
[[email protected] test]# openssl ca -config ../sub-ca.cnf -in server.csr -out server.crt -extensions server_ext -batch -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ad
Issuer:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = subca
commonName = sub01_CA
emailAddress = [email protected]
Validity
Not Before: Nov 28 13:40:52 2018 GMT
Not After : Nov 28 13:40:52 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = server
commonName = www.test05.com
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:cb:0a:18:1e:3f:9f:09:a6:85:1c:a9:26:7b:ee:
41:37:68:5b:e5:89:84:12:93:14:6b:d0:bd:5e:d8:
ff:27:e6:dd:f3:43:57:70:0e:ac:43:69:d1:29:9a:
3a:2e:e2:b3:b4:2c:ff:7f:c1:60:c0:6b:de:2a:bd:
72:08:f5:7c:00
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.a-company.com:9081
X509v3 Authority Key Identifier:
keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.a-company.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
86:F3:C8:69:7C:0A:00:7E:FF:F6:0C:61:05:6B:83:45:9D:86:40:4B
Certificate is to be certified until Nov 28 13:40:52 2019 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
使用server.crt 與 second_cacert.crt 合成一個證書鏈
# 要注意順序,伺服器端的證書是放在第一個,二級CA的證書在其後面;如果還有一層三級CA,那麼是先追加三級CA證書,再追加二級CA證書。
[[email protected] test]# cat server.crt ../second_cacert.crt > chain.crt
[[email protected] test]# ll chain.crt
-rw-r--r--. 1 root root 2534 11月 28 21:50 chain.crt
[[email protected] test]# cp chain.crt server_ecdsa.key /project/nginx1.15.0/conf/certs/
[[email protected] test]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
......
server_name www.linuxplus.com www.test05.com;
ssl_certificate certs/chain.crt;
ssl_certificate_key certs/server_ecdsa.key;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload
[[email protected] ~]# cd /usr/local/openssl/root-CA
[[email protected] root-CA]# sz -y root_cacert.crt
使用二級CA簽發客戶端證書
[[email protected] ~]# cd /usr/local/openssl/sub-CA/test/
[[email protected] test]# openssl ecparam -genkey -name prime256v1 -out client01_ecdsa.key
# 生成申請
[[email protected] test]# openssl req -new -key client01_ecdsa.key -out client01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=client01/CN=www.test05.com/[email protected]
# 簽發客戶端證書
[[email protected] test]# openssl ca -config ../sub-ca.cnf -days 60 -in client01.csr -out client01.crt -extensions client_ext -batch -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:ae
Issuer:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = subca
commonName = sub01_CA
emailAddress = [email protected]
Validity
Not Before: Nov 30 15:17:31 2018 GMT
Not After : Jan 29 15:17:31 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = client01
commonName = www.test05.com
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:e5:30:48:de:2b:2d:fc:6b:89:d1:9a:fd:f8:62:
72:72:26:e6:ca:82:2b:fd:c0:c5:c2:ce:8d:dc:ba:
d0:e0:52:84:75:6b:6a:78:64:c3:09:9b:c8:9d:fe:
e1:af:5c:85:b1:c3:a5:6c:6d:fe:b0:57:5a:37:d5:
ec:d4:b6:56:2a
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.a-company.com:9081
X509v3 Authority Key Identifier:
keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.a-company.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication
X509v3 Key Usage: critical
Digital Signature
X509v3 Subject Key Identifier:
29:44:F5:60:40:8C:DD:ED:D2:D0:0E:E8:E7:D5:5C:67:6D:CF:12:9E
Certificate is to be certified until Jan 29 15:17:31 2019 GMT (60 days)
Write out database with 1 new entries
Data Base Updated
# 格式轉換成pkcs12
[[email protected] test]# openssl pkcs12 -export -clcerts -passout pass:123456 -in client01.crt -inkey client01_ecdsa.key -out client01.p12
[[email protected] test]# cd ..
[[email protected] sub-CA]# openssl ca -config sub-ca.cnf -gencrl -out crl.pem
Using configuration from sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
[[email protected] test]# cd
[[email protected] ~]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
# 開啟客戶端身份驗證
ssl_verify_client on;
# 指定客戶端證書到根證書的深度
ssl_verify_depth 2;
# 指定簽發客戶端證書的CA證書
ssl_client_certificate /usr/local/openssl/sub-CA/second_cacert.crt;
# 完整證書鏈中需要包含的其他CA證書
ssl_trusted_certificate /usr/local/openssl/root-CA/root_cacert.crt;
# 證書吊銷列表,有更新時Nginx需要重新載入
ssl_crl /usr/local/openssl/sub-CA/crl.pem;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload
注意:
在nginx配置檔案那裡開啟客戶端證書驗證,將證書安裝在客戶端就可以正常訪問站點。
nginx中的 ssl_crl 這個配置要注意,如果是使用二級CA簽署的crl與客戶端證書 ,那麼ssl_crl 也必須包含根證書籤的 crl 列表,與證書鏈的概念類似, ssl_client_certificate 配置可以是證書鏈也可以是二級CA(如果只配置二級CA的話 ssl_trusted_certificate 要配置根證書)。
cat ..xx/sub-ca/crl.pem ..xx/root-CA/crl.pem > crl_chain.pem
ssl_crl ....xx/xx/crl_chain.pem;
[[email protected] sub-CA]# cd ..
[[email protected] openssl]# cd root-CA/
[[email protected] root-CA]# openssl ca -config root-ca.cnf -gencrl -out crl.pem
Using configuration from root-ca.cnf
Enter pass phrase for /usr/local/openssl/root-CA//private/root_cakey_ecdsa.pem:
[[email protected] root-CA]# cd ..
[[email protected] openssl]# cd sub-CA/
[[email protected] sub-CA]# cat crl.pem ../root-CA/crl.pem > crl_chain.pem
# 修改Nginx配置
# 證書吊銷列表,有更新時Nginx需要重新載入
ssl_crl /usr/local/openssl/sub-CA/crl_chain.pem;多域名證書與泛域名證書
-
多域名
[[email protected] ~]# cd /usr/local/openssl/sub-CA/
[[email protected] sub-CA]# vim sub-ca.cnf
......
[req]
default_bits = 4096
encrypt_key = yes
default_md = sha256
utf8 = yes
string_mask = utf8only
prompt = no
distinguished_name = ca_dn
#req_extensions = ca_ext
req_extensions = dns_ext #修改內容
#增加內容
[ dns_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.0=list.test05.com
DNS.1=login.test05.com
DNS.2=admin.test05.com
......
[[email protected] sub-CA]# cd test
# 生成私鑰
[[email protected] test]# openssl ecparam -name prime256v1 -genkey -out server01_ecdsa.key
[[email protected] test]# openssl req -new -config ../sub-ca.cnf -key server01_ecdsa.key -out server01.csr -subj /C=CN/ST=BeiJing/L=BeiJing/O=A_company/OU=server01/CN=server01_multi/[email protected]
# 使用二級CA簽署多域名證書
[[email protected] test]# openssl ca -config ../sub-ca.cnf -in server01.csr -out server01.crt -extensions server_ext -batch -notext
Using configuration from ../sub-ca.cnf
Enter pass phrase for /usr/local/openssl/sub-CA/private/second_cakey_ecdsa.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
88:40:ac:09:86:09:b6:19:9d:fa:33:71:f2:cb:f7:af
Issuer:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = subca
commonName = sub01_CA
emailAddress = [email protected]
Validity
Not Before: Dec 1 06:38:21 2018 GMT
Not After : Dec 1 06:38:21 2019 GMT
Subject:
countryName = CN
stateOrProvinceName = BeiJing
localityName = BeiJing
organizationName = A_company
organizationalUnitName = server01
commonName = server01_multi
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:7f:67:e9:70:07:08:0f:0d:0b:a9:46:03:db:35:
16:72:fa:e3:18:2e:40:ee:f4:1a:78:2e:31:30:ce:
55:d4:e5:7c:10:73:67:57:17:01:e2:8b:5c:64:24:
07:da:7b:46:64:25:21:03:a3:d3:3f:7d:30:24:da:
d5:e2:76:40:5e
ASN1 OID: prime256v1
NIST CURVE: P-256
X509v3 extensions:
Authority Information Access:
CA Issuers - URI:http://sub-ca.a-company.com/sub-ca.crt
OCSP - URI:http://ocsp.sub-ca.a-company.com:9081
X509v3 Authority Key Identifier:
keyid:9B:EC:B4:AF:12:B8:23:58:BC:12:86:8A:10:E2:5A:3C:B9:CA:2D:94
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 CRL Distribution Points:
Full Name:
URI:http://sub-ca.a-company.com/sub-ca.crl
X509v3 Extended Key Usage:
TLS Web Client Authentication, TLS Web Server Authentication
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Subject Key Identifier:
86:75:3A:EA:E0:E4:5E:6D:80:AC:5B:FD:56:7C:E0:49:A1:96:05:A6
X509v3 Subject Alternative Name:
DNS:list.test05.com, DNS:login.test05.com, DNS:admin.test05.com
Certificate is to be certified until Dec 1 06:38:21 2019 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[[email protected] test]# cat server01.crt ../second_cacert.crt > chain2.crt
[[email protected] test]# cp chain2.crt server01_ecdsa.key /project/nginx1.15.0/conf/certs/
[[email protected] ~]# cd /project/nginx1.15.0/conf/
[[email protected] conf]# vim nginx.conf
......
server_name *.test05.com;
ssl_certificate certs/chain2.crt;
ssl_certificate_key certs/server01_ecdsa.key;
[[email protected] conf]# ../sbin/nginx -t
nginx: the configuration file /project/nginx1.15.0/conf/nginx.conf syntax is ok
nginx: configuration file /project/nginx1.15.0/conf/nginx.conf test is successful
[[email protected] conf]# ../sbin/nginx -s reload
- 資料庫檔案 index.txt 說明
[[email protected] CA]# cat index.txt
V 190901132740Z 92F43BDFF9AC3B5CAA3189D661C69AFA unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/[email protected]
V 191110141723Z 92F43BDFF9AC3B5CAA3189D661C69AFB unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=DevOps01/CN=www.linuxplus01.com/[email protected]
V 191110143215Z 92F43BDFF9AC3B5CAA3189D661C69AFC unknown /C=CN/ST=ShanDong/L=QingDao/O=Devops/OU=Devops/CN=www.linuxplus.com/[email protected]
R 191111060653Z 181111142637Z 92F43BDFF9AC3B5CAA3189D661C69AFD unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops01/OU=Devops01/CN=www.linuxplus.com/[email protected]
V 191111140018Z 92F43BDFF9AC3B5CAA3189D661C69AFE unknown /C=CN/ST=ShanXi/L=XiAn/O=Devops02/OU=Devops02/CN=www.linuxplus.com/[email protected]每一行包括6個以製表符分隔的值
(1) 狀態標記: V 表示有效 valid, R 表示已吊銷 revoked, E 表示已過期 expired
(2) 過期時間(以 YYMMDDHHMMSSZ 格式表示)
(3) 吊銷日期,如果沒有被吊銷則為空
(4) 序列號(十六進位制)
(5) 檔案路徑(如果不知道就顯示 unknown )
(6) subject (所有者)
名稱約束
在根證書配置檔案裡有一個名稱約束 nameConstraints nameConstraints = @name_constraints 名稱約束,表示簽發的二級CA所簽發的證書的CN要符合名稱約束的規則, permitted;DNS.0=test05.com 表示所簽署的證書的CN 要符合 xxxxtest05.com,例如 www.test05.com 或 abc.test05.com ,而不能是 test05.com.xxx 。也不能使用萬用字元 ; 如果名稱約束是 .test05.com , 那麼 www.test05.com 也是不行的;而www.*.test05.com 是可以的,也就是CN的後面必須是名稱約束所給定的字串。
如果是簽發客戶端證書,名稱約束不是非要使用域名,可以自定義一個字串,例如 cli-admin.a.company 等。
如果是給伺服器端簽發證書,就要注意簽發的證書要在名稱約束以內,並且是域名的格式。
[name_constraints]
permitted;DNS.0=test05.com
permitted;DNS.1=test.org
excluded;IP.0=0.0.0.0/0.0.0.0
excluded;IP.1=0:0:0:0:0:0:0:0/0:0:0:0:0:0:0:0