生成證書鏈

用腳本生成一個根證書, 一個中間證書(intermediate), 三個客戶端證書.

中間證書的域名為 localhost.

#!/bin/bash -xset -efor C in `echo root-ca intermediate`; do mkdir $C cd $C mkdir certs crl newcerts private cd .. echo 1000 > $C/serial touch $C/index.txt $C/index.txt.attr echo '[ ca ]default_ca = CA_default[ CA_default ]dir      = '$C'  # Where everything is keptcerts     = $dir/certs        # Where the issued certs are keptcrl_dir    = $dir/crl        # Where the issued crl are keptdatabase    = $dir/index.txt      # database index file.new_certs_dir = $dir/newcerts      # default place for new certs.certificate  = $dir/cacert.pem        # The CA certificateserial     = $dir/serial        # The current serial numbercrl      = $dir/crl.pem        # The current CRLprivate_key  = $dir/private/ca.key.pem    # The private keyRANDFILE    = $dir/.rnd   # private random number filenameopt    = default_cacertopt    = default_capolicy     = policy_matchdefault_days  = 365default_md   = sha256[ policy_match ]countryName      = optionalstateOrProvinceName  = optionalorganizationName    = optionalorganizationalUnitName = optionalcommonName       = suppliedemailAddress      = optional[req]req_extensions = v3_reqdistinguished_name = req_distinguished_name[req_distinguished_name][v3_req]basicConstraints = CA:TRUE' > $C/openssl.confdoneopenssl genrsa -out root-ca/private/ca.key 2048openssl req -config root-ca/openssl.conf -new -x509 -days 3650 -key root-ca/private/ca.key -sha256 -extensions v3_req -out root-ca/certs/ca.crt -subj '/CN=Root-ca'openssl genrsa -out intermediate/private/intermediate.key 2048openssl req -config intermediate/openssl.conf -sha256 -new -key intermediate/private/intermediate.key -out intermediate/certs/intermediate.csr -subj '/CN=localhost.'openssl ca -batch -config root-ca/openssl.conf -keyfile root-ca/private/ca.key -cert root-ca/certs/ca.crt -extensions v3_req -notext -md sha256 -in intermediate/certs/intermediate.csr -out intermediate/certs/intermediate.crtmkdir outfor I in `seq 1 3` ; do openssl req -new -keyout out/$I.key -out out/$I.request -days 365 -nodes -subj "/CN=$I.example.com" -newkey rsa:2048 openssl ca -batch -config root-ca/openssl.conf -keyfile intermediate/private/intermediate.key -cert intermediate/certs/intermediate.crt -out out/$I.crt -infiles out/$I.requestdone

服務器

nginx 配置

worker_processes 1;events {  worker_connections 1024;}stream{  upstream backend{    server 127.0.0.1:8080;  }  server {    listen 8888 ssl;    proxy_pass backend;    ssl_certificate   intermediate.crt;    ssl_certificate_key intermediate.key;    ssl_verify_depth 2;    ssl_client_certificate root.crt;    ssl_verify_client optional_no_ca;  }}

客戶端

curl / -I / -vv / -x https://localhost:8888/ / --proxy-cert client1.crt / --proxy-key client1.key / --proxy-cacert ca.crt / https://www.baidu.com/