1. CA
-
Generate a CA private key
openssl genrsa -aes256 -out ca-key.pem 4096 Copy the code
-
Generating a CA Certificate
openssl req -new -x509 -days 365 -key ca-key.pem -sha256 -out ca.pem Copy the code
2. Server
-
Generate a Server private key
openssl genrsa -out server-key.pem 4096 Copy the code
-
Generate Server Certificate Signing Request File (CSR)
openssl req -sha256 -new -key server-key.pem -out server.csr Copy the code
-
Generating a Server Certificate
The difference between CN and SAN is as follows: http://tny.im/YwjYk) echo subjectAltName = IP: 192.168.200.135, IP: 127.0.0.1 > > extfile. Echo CNF # specify additional purposes Openssl x509 -req -days 365 -sha256 -in server.csr -ca ca.pem -cakey ca-key.pem \ -CAcreateserial -out server-cert.pem -extfile extfile.cnfCopy the code
3. Client
-
Generate a Client private key
openssl genrsa -out key.pem 4096 Copy the code
-
Generate Client certificate signing Request File (CSR)
openssl req -new -key key.pem -out client.csr Copy the code
-
Generating a Client Certificate
Echo extendedKeyUsage = clientAuth > extfile-client. CNF # Generate certificate openssl x509 -req -days 365-sha256-in Client.csr-ca ca.pem -cakey ca-key.pem \ -cacreateserial -out cert.pem -extfile extfile-client.cnf # Convert PKCS certificate (The certificate and key are stored in the same file.) openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.p12Copy the code
4. Nginx configuration
server { listen 443 ssl; server_name localhost; # open server authentication ssl_certificate /work/ssl/vue3-admin/server-csr.pem; ssl_certificate_key /work/ssl/vue3-admin/server-key.pem; Ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:! aNULL:! MD5; # optimization ssl_session_cache shared:SSL:10m; # 1m: 4000 session ssl_session_timeout 1m; Ssl_client_certificate /work/ SSL /vue3-admin/ca.pem; ssl_verify_client on; location / { root /work/web/vue3-admin/; index index.html index.htm; }}Copy the code
5. Access
-
The browser
Pem # 2. Certmgr. MSC Imports the personal certificate cert.p12Copy the code
-
The command line
curl https://xxxxx/index.html \ --cacert ./ca.pem \ --cert ./cert.pem \ --key ./key.pem Copy the code