nginxで自己認証証明書(おれおれ証明書)を設定
証明書の作成
秘密鍵を作成
# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus .........................+++ .......................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
パスフレーズは後で外すので適当に
証明書署名要求を作成
# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:JP State or Province Name (full name) [Some-State]:Tokyo Locality Name (eg, city) []:Shinjyuku Organization Name (eg, company) [Internet Widgits Pty Ltd]:xxx .inc Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []:xxx.com Email Address []:xxx@gmail.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Common Nameとhost名を一致させる事、curlでテストする際に以下のエラーが出てしまいます。
ただ、他の環境だと平気かもしれないです。
curl: (51) SSL: certificate subject name 'xxx.com' does not match target host name 'yyy.com'
秘密鍵のパスフレーズを外す
openssl rsa -in server.key -out server.key
証明書を作成
openssl x509 -req -days 36500 -in server.csr -signkey server.key -out server.crt
nginx設定
serverに以下を追加
listen 443 ssl; ssl_certificate /path/to/server.crt; ssl_certificate_key /path/to/server.key;
curlで確認
適当なマシンにserver.crtを転送し
curl --cacert ./server.crt https://xxx.com