使用自签名SSL证书进行Nginx的客户端身份验证
我正在LAN中托管一个Nginx Web服务器,我想对使用ssl客户端证书访问我的服务器的客户端进行身份验证.我在Google上的一些文档之后生成了一个自签名的SSL证书和一个客户端证书.但是我无法认证拥有证书的客户.我遇到以下错误
I am hosting a nginx webserver in my LAN and I want to authenticate client who are accessing my server with ssl client certificate.I generated a self signed SSL certificate and one client certificate following some documents on google. But I am unable to authenticate client who has certificate. I am getting the following errors
当从Firefox请求时:
When requested from Firefox:
2017/08/10 18:30:13 [info] 8994#0:* 4客户端在读取客户端请求标头时未发送必需的SSL证书,客户端:192.168.16.27,服务器:192.168.26.43,请求:"GET /hls1/master.m3u8 HTTP/1.1,主机:" 192.168.26.43"
2017/08/10 18:30:13 [info] 8994#0: *4 client sent no required SSL certificate while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls1/master.m3u8 HTTP/1.1", host: "192.168.26.43"
使用curl请求时: curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://192.168.26.43/hls2/master.m3u8
When request using curl: curl -v -s -k --key client.key --cert client.crt --cacert ca.crt https://192.168.26.43/hls2/master.m3u8
2017/08/10 18:30:33 [信息] 8994#0:* 5客户端SSL证书验证错误:(18:自签名证书)读取客户端请求标头时,客户端:192.168.16.27,服务器:192.168 .26.43,请求:"GET/hls2/master.m3u8 HTTP/1.1",主机:"192.168.26.43"
2017/08/10 18:30:33 [info] 8994#0: *5 client SSL certificate verify error: (18:self signed certificate) while reading client request headers, client: 192.168.16.27, server: 192.168.26.43, request: "GET /hls2/master.m3u8 HTTP/1.1", host: "192.168.26.43"
所以,我的问题是我可以使用自签名证书对客户端进行身份验证吗?如果可以,那么任何人都可以提供实现此目的的步骤吗?
So,my question is can I use self-signed certificate to authenticate client?If so, can anyone provide the steps to achieve this?
我偶然发现了这个陷阱,发现了一个小陷阱,该陷阱导致了您遇到的相同错误:
I just stumbled over this and discovered a small pitfall which caused the same error you encountered:
在0深度查找错误18:自签名证书
error 18 at 0 depth lookup: self signed certificate
关于如何创建自签名客户端证书的指南很多,我使用了以下内容(改编自此处):
There are plenty of guides how to create a self signed client certificate, I used the following (adapted from here):
# Create the CA Key and Certificate for signing Client Certs
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
# Create the Client Key and CSR
openssl genrsa -des3 -out client.key 4096
openssl req -new -key client.key -out client.csr
# Sign the client certificate with our CA cert
openssl x509 -req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out client.crt
# Convert to .p12 so import in OSX works
openssl pkcs12 -export -clcerts -inkey client.key -in client.crt -out client.p12 -name "MyKey"
但是,如果您为ca和客户证书使用相同的组织名称(例如,公司),则会看到上述错误!
However, if you use the same Organization Name (eg, company) for both your ca and your client certificate, you will see above error!
如果openssl verify -verbose -CAfile ca.crt client.crt没有抱怨自签名证书,那您就走了.
If openssl verify -verbose -CAfile ca.crt client.crt does not complain about a self-signed certificate, you're good to go.