![\"\"](\"\/\/blog.yanjingang.com\/wp-content\/uploads\/2020\/03\/ca-generate-2.png\" "\\"ca-generate\\"")
<\/p>\nCA\u5355\u5411\u8ba4\u8bc1\u5e38\u7528\u4e8ehttps\u6570\u636e\u4f20\u8f93\u52a0\u5bc6\uff0c\u907f\u514d\u5728\u4f20\u8f93\u8fc7\u7a0b\u4e2d\u88ab\u55c5\u63a2\u548c\u7be1\u6539\u3002\u800cCA\u53cc\u5411\u8ba4\u8bc1\u5219\u66f4\u591a\u7684\u7528\u4e8e\u9ad8\u5b89\u5168\u573a\u666f\u7684\u8eab\u4efd\u8bc6\u522b\uff0c\u5b83\u4e3a\u6bcf\u4e2aclient\u7b7e\u53d1\u7684\u8bc1\u4e66\u5185\u5305\u542b\u4e86\u5404client\u7684\u8eab\u4efd\uff08\u4f8b\u5982\u94f6\u884c\u8bc1\u4e66\u7684\u7528\u6237\u8eab\u4efd\u8bc1\u53f7\u3001\u8f66\u8f86\u8bc1\u4e66\u7684\u8f66\u67b6\u53f7\u7b49\uff09\uff0cserver\u5728client\u8bf7\u6c42\u65f6\u53cc\u5411\u8ba4\u8bc1\u5bf9\u65b9\u7684\u8bc1\u4e66\u6709\u6548\u6027\uff0c\u540c\u65f6server\u4ece\u6709\u6548client\u516c\u94a5\u4e2d\u63d0\u53d6\u5bf9\u65b9\u8eab\u4efd\u5e76\u4e0e\u8bf7\u6c42\u53c2\u6570\u4e2d\u7684\u8eab\u4efd\u8fdb\u884c\u5bf9\u6bd4\u68c0\u67e5\uff0c\u4ee5\u5b8c\u6210client\u8eab\u4efd\u7684\u5b89\u5168\u9274\u522b\u3002\u4e0b\u8fb9\u7b80\u5355\u4ecb\u7ecd\u4e0bCA\u8bc1\u4e66\u53cc\u5411\u8ba4\u8bc1\u539f\u7406\u548c\u5b9e\u65bd\u65b9\u6cd5\u3002<\/p>\n
<\/p>\n
![\"\"](\"\/\/blog.yanjingang.com\/wp-content\/uploads\/2020\/03\/ca-2way-auth-2.png\" "\\"ca-2way-auth\\"")
<\/p>\n
\u6240\u8c13\u8bc1\u4e66\u53cc\u5411\u8ba4\u8bc1\u662f\u6307\uff1a<\/p>\n
ca.crt<\/code>\u6821\u9a8c\u5ba2\u6237\u7aef\u7684client.crt<\/code>\u548cclient.key<\/code><\/li>\n- \u5ba2\u6237\u7aef\u4f7f\u7528
ca.crt<\/code>\u6821\u9a8c\u670d\u52a1\u7aef\u7684server.crt<\/code>\u548cserver.key<\/code><\/li>\n<\/ul>\n<\/p>\n
3.\u53cc\u5411\u8ba4\u8bc1\u673a\u5236<\/h3>\n
![\"\"](\"\/\/blog.yanjingang.com\/wp-content\/uploads\/2020\/03\/ca-2way-1006x1024.png\")
<\/a><\/p>\n1\uff09\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u7aef\u53d1\u9001SSL\u534f\u8bae\u7248\u672c\u53f7\u3001\u52a0\u5bc6\u7b97\u6cd5\u79cd\u7c7b\u3001\u968f\u673a\u6570\u7b49\u4fe1\u606f\u3002
\n2\uff09\u670d\u52a1\u7aef\u7ed9\u5ba2\u6237\u7aef\u8fd4\u56deSSL\u534f\u8bae\u7248\u672c\u53f7\u3001\u52a0\u5bc6\u7b97\u6cd5\u79cd\u7c7b\u3001\u968f\u673a\u6570\u7b49\u4fe1\u606f\uff0c\u540c\u65f6\u4e5f\u8fd4\u56de\u670d\u52a1\u5668\u7aef\u7684\u8bc1\u4e66\uff0c\u5373\u516c\u94a5\u8bc1\u4e66
\n3\uff09\u5ba2\u6237\u7aef\u4f7f\u7528\u670d\u52a1\u7aef\u8fd4\u56de\u7684\u4fe1\u606f\u9a8c\u8bc1\u670d\u52a1\u5668\u7684\u5408\u6cd5\u6027\uff0c\u5305\u62ec\uff1a
\n\u8bc1\u4e66\u662f\u5426\u8fc7\u671f
\n\u53d1\u884c\u670d\u52a1\u5668\u8bc1\u4e66\u7684CA\u662f\u5426\u53ef\u9760
\n\u8fd4\u56de\u7684\u516c\u94a5\u662f\u5426\u80fd\u6b63\u786e\u89e3\u5f00\u8fd4\u56de\u8bc1\u4e66\u4e2d\u7684\u6570\u5b57\u7b7e\u540d
\n\u670d\u52a1\u5668\u8bc1\u4e66\u4e0a\u7684\u57df\u540d\u662f\u5426\u548c\u670d\u52a1\u5668\u7684\u5b9e\u9645\u57df\u540d\u76f8\u5339\u914d
\n\u9a8c\u8bc1\u901a\u8fc7\u540e\uff0c\u5c06\u7ee7\u7eed\u8fdb\u884c\u901a\u4fe1\uff0c\u5426\u5219\uff0c\u7ec8\u6b62\u901a\u4fe1
\n4\uff09\u670d\u52a1\u7aef\u8981\u6c42\u5ba2\u6237\u7aef\u53d1\u9001\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\uff0c\u5ba2\u6237\u7aef\u4f1a\u5c06\u81ea\u5df1\u7684\u8bc1\u4e66\u53d1\u9001\u81f3\u670d\u52a1\u7aef
\n5\uff09\u9a8c\u8bc1\u5ba2\u6237\u7aef\u7684\u8bc1\u4e66\uff0c\u901a\u8fc7\u9a8c\u8bc1\u540e\uff0c\u4f1a\u83b7\u5f97\u5ba2\u6237\u7aef\u7684\u516c\u94a5
\n6\uff09\u5ba2\u6237\u7aef\u5411\u670d\u52a1\u7aef\u53d1\u9001\u81ea\u5df1\u6240\u80fd\u652f\u6301\u7684\u5bf9\u79f0\u52a0\u5bc6\u65b9\u6848\uff0c\u4f9b\u670d\u52a1\u5668\u7aef\u8fdb\u884c\u9009\u62e9
\n7\uff09\u670d\u52a1\u5668\u7aef\u5728\u5ba2\u6237\u7aef\u63d0\u4f9b\u7684\u52a0\u5bc6\u65b9\u6848\u4e2d\u9009\u62e9\u52a0\u5bc6\u7a0b\u5ea6\u6700\u9ad8\u7684\u52a0\u5bc6\u65b9\u5f0f
\n8\uff09\u5c06\u52a0\u5bc6\u65b9\u6848\u901a\u8fc7\u4f7f\u7528\u4e4b\u524d\u83b7\u53d6\u5230\u7684\u516c\u94a5\u8fdb\u884c\u52a0\u5bc6\uff0c\u8fd4\u56de\u7ed9\u5ba2\u6237\u7aef
\n9\uff09\u5ba2\u6237\u7aef\u6536\u5230\u670d\u52a1\u7aef\u8fd4\u56de\u7684\u52a0\u5bc6\u65b9\u6848\u5bc6\u6587\u540e\uff0c\u4f7f\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u8fdb\u884c\u89e3\u5bc6\uff0c\u83b7\u53d6\u5177\u4f53\u52a0\u5bc6\u65b9\u5f0f\uff0c\u800c\u540e\uff0c\u4ea7\u751f\u8be5\u52a0\u5bc6\u65b9\u5f0f\u7684\u968f\u673a\u7801\uff0c\u7528\u4f5c\u52a0\u5bc6\u8fc7\u7a0b\u4e2d\u7684\u5bc6\u94a5\uff0c\u4f7f\u7528\u4e4b\u524d\u4ece\u670d\u52a1\u7aef\u8bc1\u4e66\u4e2d\u83b7\u53d6\u5230\u7684\u516c\u94a5\u8fdb\u884c\u52a0\u5bc6\u540e\uff0c\u53d1\u9001\u7ed9\u670d\u52a1\u7aef
\n10\uff09\u670d\u52a1\u7aef\u6536\u5230\u5ba2\u6237\u7aef\u53d1\u9001\u7684\u6d88\u606f\u540e\uff0c\u4f7f\u7528\u81ea\u5df1\u7684\u79c1\u94a5\u8fdb\u884c\u89e3\u5bc6\uff0c\u83b7\u53d6\u5bf9\u79f0\u52a0\u5bc6\u7684\u5bc6\u94a5\uff0c\u5728\u63a5\u4e0b\u6765\u7684\u4f1a\u8bdd\u4e2d\uff0c\u670d\u52a1\u5668\u548c\u5ba2\u6237\u7aef\u5c06\u4f1a\u4f7f\u7528\u8be5\u5bc6\u7801\u8fdb\u884c\u5bf9\u79f0\u52a0\u5bc6\uff0c\u4fdd\u8bc1\u901a\u4fe1\u8fc7\u7a0b\u4e2d\u4fe1\u606f\u7684\u5b89\u5168\u3002<\/p>\n
<\/p>\n
\u4e8c\u3001CA\u53cc\u5411\u8ba4\u8bc1\u5b9e\u65bd<\/h1>\n
*\u6ce8\uff1a\u4ee5\u4e0b\u751f\u6210\u8fc7\u7a0b\u4ee3\u7801https:\/\/github.com\/yanjingang\/study\/tree\/master\/ssl<\/p>\n
1.\u751f\u6210\u6839\u8bc1\u4e66\u79c1\u94a5<\/h3>\nvim generate-PrivateCA.sh\n\n# 0.\u521b\u5efa\u4e00\u4e2a\u65b0\u7684 CA \u6839\u8bc1\u4e66\n#\tsh generate-PrivateCA.sh\nCA_ORG='\/O=YanJingang.com\/OU=YAN-CA\/emailAddress=yanjingang@mail.com\/countryName=CN\/stateOrProvinceName=Beijing'\nCA_DN=\"\/CN=YAN DevRootCA${CA_ORG}\"\n\n\n# \u521b\u5efa\u8bc1\u4e66\u76ee\u5f55\n#\tprivate \u7528\u4e8e\u5b58\u653e CA \u7684\u79c1\u94a5\uff1b\n#\tserver \u5b58\u653e\u670d\u52a1\u5668\u8bc1\u4e66\u6587\u4ef6\uff1b\n#\tclient \u5b58\u653e\u5ba2\u6237\u7aef\u8bc1\u4e66\u6587\u4ef6\uff1b\n#\tcerts \u5b50\u76ee\u5f55\u5c06\u7528\u4e8e\u5b58\u653e CA \u7b7e\u7f72\u8fc7\u7684\u6570\u5b57\u8bc1\u4e66(\u8bc1\u4e66\u5907\u4efd\u76ee\u5f55)\uff1b\nmkdir -p .\/ca\/private .\/ca\/server .\/ca\/client .\/ca\/certs\n\n# \u751f\u6210\u79c1\u94a5 key \u6587\u4ef6\nopenssl genrsa -out .\/ca\/private\/ca.key 2048\necho \"[DONE]\tca.key\"\n\n# \u751f\u6210\u8bc1\u4e66\u8bf7\u6c42 csr \u6587\u4ef6\nopenssl req -new -key .\/ca\/private\/ca.key -out .\/ca\/private\/ca.csr -subj \"${CA_DN}\"\necho \"[DONE]\tca.csr\"\n\n# \u751f\u6210\u51ed\u8bc1 crt \u6587\u4ef6\nopenssl x509 -req -days 365 -in .\/ca\/private\/ca.csr -signkey .\/ca\/private\/ca.key -out .\/ca\/private\/ca.crt\necho \"[DONE]\tca.crt\"\n\n# \u4e3a\u6211\u4eec\u7684 key \u8bbe\u7f6e\u8d77\u59cb\u5e8f\u5217\u53f7\u548c\u521b\u5efa CA \u952e\u5e93\necho FACE > .\/ca\/serial \n# \u53ef\u4ee5\u662f\u4efb\u610f\u56db\u4e2a\u5b57\u7b26\ntouch .\/ca\/index.txt \necho \"[DONE]\tindex.txt\"\n\n# \u4e3a \"\u7528\u6237\u8bc1\u4e66\" \u7684\u79fb\u9664\u521b\u5efa\u4e00\u4e2a\u8bc1\u4e66\u64a4\u9500\u5217\u8868\nopenssl ca -gencrl -out .\/ca\/private\/ca.crl -crldays 7 -config \".\/conf\/openssl.conf\" \necho \"[DONE]\tca.crl\"\n\n<\/code><\/pre>\nvim conf\/openssl.conf\n\n[ ca ] \ndefault_ca = mars # The default ca section \n\n[ mars ] \ndir = .\/ca # top dir \ndatabase = .\/ca\/index.txt # index file. \nnew_certs_dir = .\/ca\/certs # new certs dir \n\ncertificate = .\/ca\/private\/ca.crt # The CA cert \nserial = .\/ca\/serial # serial no file \nprivate_key = .\/ca\/private\/ca.key # CA private key \nRANDFILE = .\/ca\/private\/.rand # random number file \n\ndefault_days = 365 # how long to certify for \ndefault_crl_days= 30 # how long before next CRL \ndefault_md = sha1 # message digest method to use \nunique_subject = no # Set to 'no' to allow creation of \n # several ctificates with same subject. \npolicy = policy_any # default policy \n\n[ policy_any ] \ncountryName = match \nstateOrProvinceName = match \norganizationName = match \norganizationalUnitName = match \nlocalityName = optional \ncommonName = supplied \nemailAddress = optional \n<\/code><\/pre>\n#\u751f\u6210\u6839\u8bc1\u4e66\u79c1\u94a5\nsh generate-PrivateCA.sh\n\nll ca\/private\/\n-rw-rw-r-- 1 work work 678 3\u6708 23 17:19 ca.crl\n-rw-rw-r-- 1 work work 1285 3\u6708 23 17:19 ca.crt\n-rw-rw-r-- 1 work work 1045 3\u6708 23 17:19 ca.csr\n-rw-rw-r-- 1 work work 1675 3\u6708 23 17:19 ca.key<\/span><\/code><\/pre>\n2.\u751f\u6210\u670d\u52a1\u7aef\u8bc1\u4e66<\/h3>\nvim generate-ServerCA.sh\n\n# 1.\u670d\u52a1\u5668\u8bc1\u4e66\u7684\u751f\u6210 \n# \tsh generate-ServerCA.sh ca.yanjingang.com \nCA_ORG='\/O=YanJingang.com\/OU=YAN-CA\/emailAddress=yanjingang@mail.com\/countryName=CN\/stateOrProvinceName=Beijing'\nDOMAIN=$(hostname -f) #\u670d\u52a1\u7aef\u8bc1\u4e66\u7684\u57df\u540d\nif [ -n \"$1\" ]; then\n DOMAIN=\"$1\"\nfi\nSERVER_DN=\"\/CN=${DOMAIN}${CA_ORG}\"\n\n\n# \u521b\u5efa\u4e00\u4e2a key\nopenssl genrsa -out .\/ca\/server\/${DOMAIN}.key 2048\necho \"[DONE]\t${DOMAIN}.key\"\n\n# \u4e3a\u6211\u4eec\u7684 key \u521b\u5efa\u4e00\u4e2a\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42 csr \u6587\u4ef6\nopenssl req -new -key .\/ca\/server\/${DOMAIN}.key -out .\/ca\/server\/${DOMAIN}.csr -subj \"${SERVER_DN}\"\necho \"[DONE]\t${DOMAIN}.csr\"\n\n# \u4f7f\u7528\u6211\u4eec\u79c1\u6709\u7684 CA key \u4e3a\u521a\u624d\u7684 key \u7b7e\u540d\nopenssl ca -in .\/ca\/server\/${DOMAIN}.csr \\\n -cert .\/ca\/private\/ca.crt \\\n -keyfile .\/ca\/private\/ca.key \\\n -out .\/ca\/server\/${DOMAIN}.crt \\\n -config \".\/conf\/openssl.conf\" \necho \"[DONE]\t${DOMAIN}.crt\"\n<\/code><\/pre>\n#\u751f\u6210\u670d\u52a1\u7aef\u8bc1\u4e66\nsh generate-ServerCA.sh ca.yanjingang.com \n\nll ca\/server\/\n-rw-rw-r-- 1 work work 4059 3\u6708 23 17:53 ca.yanjingang.com.crt\n-rw-rw-r-- 1 work work 1050 3\u6708 23 17:53 ca.yanjingang.com.csr\n-rw-rw-r-- 1 work work 1679 3\u6708 23 17:53 ca.yanjingang.com.key<\/span><\/code><\/pre>\n <\/p>\n
3.\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66<\/h3>\nvim generate-ClientCA.sh\n\n# 2.\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684\u751f\u6210 \n# sh generate-ClientCA.sh client1_sn1 \nCA_ORG='\/O=YanJingang.com\/OU=YAN-CA\/emailAddress=yanjingang@mail.com\/countryName=CN\/stateOrProvinceName=Beijing'\nCLIENT_ID=\"client1\" #\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684ID\nif [ -n \"$1\" ]; then\n CLIENT_ID=\"$1\"\nfi\nCLIENT_DN=\"${CA_ORG}\/CN=YAN DevClientCA ${CLIENT_ID}\"\n\n# \u4e3a\u7528\u6237\u521b\u5efa\u4e00\u4e2a key\n#openssl genrsa -des3 -out .\/ca\/client\/${CLIENT_ID}.key 2048\nopenssl genrsa -out .\/ca\/client\/${CLIENT_ID}.key 2048\necho \"[DONE]\t${CLIENT_ID}.key\"\n\n# \u4e3a key \u521b\u5efa\u4e00\u4e2a\u8bc1\u4e66\u7b7e\u540d\u8bf7\u6c42 csr \u6587\u4ef6\nopenssl req -new -key .\/ca\/client\/${CLIENT_ID}.key -out .\/ca\/client\/${CLIENT_ID}.csr -subj \"${CLIENT_DN}\"\necho \"[DONE]\t${CLIENT_ID}.csr\"\n\n# \u4f7f\u7528\u6211\u4eec\u79c1\u6709\u7684 CA key \u4e3a\u521a\u624d\u7684 key \u7b7e\u540d\nopenssl ca -in .\/ca\/client\/${CLIENT_ID}.csr -cert .\/ca\/private\/ca.crt -keyfile .\/ca\/private\/ca.key -out .\/ca\/client\/${CLIENT_ID}.crt -config \".\/conf\/openssl.conf\"\necho \"[DONE]\t${CLIENT_ID}.crt\"\n\n# \u5c06\u8bc1\u4e66\u8f6c\u6362\u4e3a\u5927\u591a\u6570\u6d4f\u89c8\u5668\u90fd\u80fd\u8bc6\u522b\u7684 PKCS12 \u6587\u4ef6\nopenssl pkcs12 -export -clcerts -in .\/ca\/client\/${CLIENT_ID}.crt -inkey .\/ca\/client\/${CLIENT_ID}.key -out .\/ca\/client\/${CLIENT_ID}.p12 \necho \"[DONE]\t${CLIENT_ID}.p12\"\n<\/code><\/pre>\n#\u751f\u6210\u5ba2\u6237\u7aef\u8bc1\u4e66\nsh generate-ClientCA.sh client1_sn1\n\nll ca\/client\/\n-rw-rw-r-- 1 work work 4073 3\u6708 23 18:09 client1_sn1.crt\n-rw-rw-r-- 1 work work 1058 3\u6708 23 18:09 client1_sn1.csr\n-rw-rw-r-- 1 work work 1675 3\u6708 23 18:09 client1_sn1.key\n-rw-rw-r-- 1 work work 2517 3\u6708 23 18:09 client1_sn1.p12<\/span><\/code><\/pre>\n <\/p>\n
4.\u914d\u7f6enginx\u53cc\u5411\u8ba4\u8bc1<\/h3>\nserver {\n listen 8443 ssl; #\u76d1\u542chttps\n server_name ca.yanjingang.com;\n\n # \u5f00\u542fhttps ssl<\/span>\n ssl on;\n ssl_certificate \/home\/work\/project\/study\/ssl\/ca\/server\/ca.yanjingang.com.crt<\/span>;\n ssl_certificate_key \/home\/work\/project\/study\/ssl\/ca\/server\/ca.yanjingang.com.key<\/span>;\n ssl_session_timeout 20m;\n ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;\n ssl_protocols TLSv1 TLSv1.1 TLSv1.2;\n ssl_prefer_server_ciphers on;\n # \u5f00\u542fca\u53cc\u5411\u8ba4\u8bc1<\/span>\n ssl_verify_client on;\n ssl_client_certificate \/home\/work\/project\/study\/ssl\/ca\/private\/ca.crt<\/span>;\n location \/ {\n fastcgi_pass $php_upstream;\n fastcgi_index index.php;\n include fastcgi.conf;\n\n # client\u8bc1\u4e66\u4fe1\u606f\u83b7\u53d6<\/span>\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u5185\u5bb9\n fastcgi_param SSL_CLIENT_CERT $ssl_client_cert;\n fastcgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u9a8c\u8bc1\u7ed3\u679c(\u901a\u8fc7\u65f6\u8fd9\u4e2a\u53d8\u91cf\u503c\u4e3aSUCCESS)\n fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u7b7e\u53d1\u8005\u4fe1\u606f\n fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u4e3b\u9898\u4fe1\u606f\n fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u5e8f\u5217\u53f7\n fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u6307\u7eb9\n fastcgi_param SSL_CLIENT_FPRINT $ssl_client_fingerprint;\n }\n ...\n}<\/code><\/pre>\n <\/p>\n
5.\u6d4b\u8bd5\u53cc\u5411\u8ba4\u8bc1<\/h3>\n--\u65e0\u8bc1\u4e66\u8bf7\u6c42\uff0c\u62d2\u7edd\u8bbf\u95ee\n curl https:\/\/ca.yanjingang.com\n curl: (60) SSL certificate problem: unable to get local issuer certificate\n--\u643a\u5e26\u6839\u8bc1\u4e66\u516c\u94a5\u8bf7\u6c42\uff0c\u62d2\u7edd\u8bbf\u95ee\n curl https:\/\/ca.yanjingang.com --cacert .\/ca\/private\/ca.crt \n 400 No required SSL certificate was sent\n\n--\u643a\u5e26\u6839\u8bc1\u4e66\u516c\u94a5\u3001\u5ba2\u6237\u7aef\u8bc1\u4e66\u516c\u94a5\/\u79c1\u94a5\u8bf7\u6c42\uff0c\u53cc\u5411\u8ba4\u8bc1\u901a\u8fc7\n curl https:\/\/ca.yanjingang.com --cacert .\/ca\/private\/ca.crt --cert .\/ca\/client\/client1_sn1.crt --key .\/ca\/client\/client1_sn1.key\n CA\u53cc\u5411\u8ba4\u8bc1\u901a\u8fc7!\n--\u6216mac\u4e2d\u53cc\u51fbclient1.p12\uff08p12\u4e2d\u5305\u542bclient\u516c\u94a5+\u79c1\u94a5\uff09\u6dfb\u52a0\u5230\u7cfb\u7edf\u94a5\u5319\u4e32\uff0c\u5e76\u8bbe\u7f6e\u201c\u59cb\u7ec8\u4fe1\u4efb\u201d\uff0c\u53cc\u5411\u8ba4\u8bc1\u901a\u8fc7\n \u6d4f\u89c8\u5668\u8bbf\u95eehttps:\/\/ca.yanjingang.com\/\n CA\u53cc\u5411\u8ba4\u8bc1\u901a\u8fc7!<\/code><\/pre>\n6.\u5ba2\u6237\u7aef\u8bc1\u4e66\u4fe1\u606f\u83b7\u53d6<\/h3>\n--\u5ba2\u6237\u7aef\u8bc1\u4e66\u751f\u6210\u81ea\u5b9a\u4e49\u6269\u5c55\u4fe1\u606f\n \u5ba2\u6237\u7aefID\u548c+SN\u5199\u5165CN\u5373\u53ef\uff08generate-ClientCA.sh client1_sn1\uff09\uff0c\u4e0d\u9700\u8981\u7279\u6b8a\u7684\u6269\u5c55\u4f4d\u7f6e\uff1b\u4e5f\u65b9\u4fbf\u670d\u52a1\u7aef\u83b7\u53d6\n\n--nginx\u914d\u7f6e\n location \/ {\n fastcgi_pass $php_upstream;\n fastcgi_index index.php;\n include fastcgi.conf;\n\n # client\u8bc1\u4e66\u4fe1\u606f\u83b7\u53d6\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u5185\u5bb9\n fastcgi_param SSL_CLIENT_CERT $ssl_client_cert;\n fastcgi_param SSL_CLIENT_RAW_CERT $ssl_client_raw_cert;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u9a8c\u8bc1\u7ed3\u679c(\u901a\u8fc7\u65f6\u8fd9\u4e2a\u53d8\u91cf\u503c\u4e3aSUCCESS)\n fastcgi_param SSL_CLIENT_VERIFY $ssl_client_verify;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u7b7e\u53d1\u8005\u4fe1\u606f\n fastcgi_param SSL_CLIENT_I_DN $ssl_client_i_dn;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u4e3b\u9898\u4fe1\u606f\n fastcgi_param SSL_CLIENT_S_DN $ssl_client_s_dn;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u5e8f\u5217\u53f7\n fastcgi_param SSL_CLIENT_SERIAL $ssl_client_serial;\n # \u5ba2\u6237\u7aef\u8bc1\u4e66\u6307\u7eb9\n fastcgi_param SSL_CLIENT_FPRINT $ssl_client_fingerprint;\n\n }\n\n--\u670d\u52a1\u7aef\u83b7\u53d6\u5ba2\u6237\u7aef\u8bc1\u4e66\u7684\u81ea\u5b9a\u4e49\u4fe1\u606f\n <?php\n echo \"CA Two Way Auth Success!\\n\";\n $keys = [\n 'SSL_CLIENT_CERT',\n 'SSL_CLIENT_RAW_CERT',\n 'SSL_CLIENT_VERIFY',\n 'SSL_CLIENT_I_DN',\n 'SSL_CLIENT_S_DN',\n 'SSL_CLIENT_SERIAL',\n 'SSL_CLIENT_FPRINT',\n ];\n $client_id = \"\";\n foreach($keys as $k){\n echo \"{$k}={$_SERVER[$k]}\\n\";\n \/\/ \u63d0\u53d6client\u8bc1\u4e66\u4e2d\u7684CN\u4fe1\u606f\n if($k == 'SSL_CLIENT_S_DN'){\n foreach(explode('\/', $_SERVER['SSL_CLIENT_S_DN']) as $dn){\n $dn = explode('=', $dn);\n if($dn[0] == 'CN'){\n $client_id = $dn[1];\n break;\n }\n }\n }\n }\n echo \"client_id = $client_id\\n\";\n ?><\/code><\/pre>\n# \u6d4b\u8bd5\ncurl https:\/\/ca.yanjingang.com --cacert .\/ca\/private\/ca.crt --cert .\/ca\/client\/client1_sn1.crt --key .\/ca\/client\/client1_sn1.key\n\nCA Two Way Auth Success!\nSSL_CLIENT_CERT = -----BEGIN CERTIFICATE-----\n\tMIIDgDCCAmgCAwD62DANBgkqhkiG9w0BAQUFADCBhTEWMBQGA1UEAwwNWUFOIERl\n\tdlJvb3RDQTEXMBUGA1UECgwOWWFuSmluZ2FuZy5jb20xDzANBgNVBAsMBllBTi1D\n\t...\n\tOvIgzFuDZ\/MCFhf5lAJcT4u7sNjnFK1fgtxyVQkX9HuYcdAwBr4OJTb2pV1YMI7n\n\tx\/mGTSmhwQkaeOFYFYJhrl+kj30iuRLBr1hUuMXMNTTdnzl8\n\t-----END CERTIFICATE-----\nSSL_CLIENT_RAW_CERT = -----BEGIN CERTIFICATE-----\nMIIDgDCCAmgCAwD62DANBgkqhkiG9w0BAQUFADCBhTEWMBQGA1UEAwwNWUFOIERl\ndlJvb3RDQTEXMBUGA1UECgwOWWFuSmluZ2FuZy5jb20xDzANBgNVBAsMBllBTi1D\n...\nOvIgzFuDZ\/MCFhf5lAJcT4u7sNjnFK1fgtxyVQkX9HuYcdAwBr4OJTb2pV1YMI7n\nx\/mGTSmhwQkaeOFYFYJhrl+kj30iuRLBr1hUuMXMNTTdnzl8\n-----END CERTIFICATE-----\n\nSSL_CLIENT_VERIFY = SUCCESS\nSSL_CLIENT_I_DN = \/CN=YAN DevRootCA\/O=YanJingang.com\/OU=YAN-CA\/emailAddress=yanjingang@mail.com\/C=CN\/ST=Beijing\nSSL_CLIENT_S_DN = \/C=CN\/ST=Beijing\/O=YanJingang.com\/OU=YAN-CA\/CN=client1_sn1<\/span>\/emailAddress=yanjingang@mail.com\nSSL_CLIENT_SERIAL = FAD8\nSSL_CLIENT_FPRINT = 960f557871955abd03084db953ad401fb8b7033f\nclient_id = client1_sn1<\/span><\/code><\/pre>\n <\/p>\n
yan 20.3.23 23:19<\/p>\n
<\/p>\n
\u53c2\u8003\uff1a<\/p>\n
SSL\u6a21\u5757\uff08SSL\uff09<\/a><\/p>\nHTTP client certificate var in nginx is blank?<\/a><\/p>\nNginx SSL \u53cc\u5411\u8ba4\u8bc1\uff0ckey \u751f\u6210\u548c\u914d\u7f6e<\/a><\/p>\n
![\"\"](\"\/\/blog.yanjingang.com\/wp-content\/uploads\/2020\/03\/ca-2way.png\")
<\/a><\/p>\n