Sample code for implementing two-way authentication with Nginx+SSL

First create a directory

cd /etc/nginx
mkdir ssl
cd ssl

CA vs Self-signed

Create a CA private key

openssl genrsa -out ca.key 2048

Create a CA root certificate (public key)

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

Notice:

1. Common Name can be filled in at will
2. To avoid mistakes, please fill in all other required information.

Server Certificate

Make a server-side private key:

openssl genrsa -out server.pem 1024
openssl rsa -in server.pem -out server.key

Generate a signing request:

openssl req -new -key server.pem -out server.csr

Notice:

1. Common Name must be filled in with the domain name when accessing the service. Here we use usb.dev. The following NGINX configuration will use
2. To avoid mistakes, fill in all other required information (to match the CA root certificate)

Issued by CA

openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt

Client Certificates

Similar to the server certificate

Notice:

1. Common Name can be filled in at will
2. To avoid mistakes, fill in all other required information (to match the CA root certificate)

Now that the required certificates are in place, we can start configuring NGINX.

Nginx Configuration

server {
    listen 443;
    server_name usb.dev;

    index index.html;

    root /data/test/;

    ssl on;
    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;
    ssl_client_certificate /etc/nginx/ssl/ca.crt;
    ssl_verify_client on;
}

Request Verification

The verification process can be done on another machine or on the local machine. In order to resolve usb.dev, you also need to configure /etc/hosts:

ip address usb.dev

If you use a browser for authentication, you need to export the client certificate into p12 format.

openssl pkcs12 -export -clcerts -in client.crt -inkey client.pem -out client.p12

Download several certificates from the server and install them to the trusted certificate list. Click the p12 file just generated and enter the certificate password to install it to the personal list.
Then close the browser and re-enter the domain name, and a certificate prompt for SSL two-way verification will appear. Just select the certificate.

The above is the full content of this article. I hope it will be helpful for everyone’s study. I also hope that everyone will support 123WORDPRESS.COM.