我了解关于同一主题的问题很多。不幸的是,没有什么能解决我的确切问题。所以让我具体一点。我正在开发一套需要证书认证的REST API(很奇怪,但类似)。因此,为了进行测试,我们使用openssl创建了自签名证书,如下所示:
openssl req -x509 -sha256 -newkey rsa:4096 -keyout ca.key -out ca.crt -days 356 -nodes -subj '/CN=Lead Services'
openssl req -new -newkey rsa:4096 -keyout server.key -out server.csr -nodes -subj '/CN=*.lservices.eu'
openssl x509 -req -sha256 -days 365 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out services/server.crt
openssl x509 -req -sha256 -days 365 -in client.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out services/client.crt
现在,已将nginx设置为与这些ssl证书一起运行,需要客户端身份验证。 Nginx配置看起来像这样:
listen 443 ssl;
server_name lacs.lservices.eu localhost;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_certificate certs/server.crt;
ssl_certificate_key certs/server.key;
ssl_client_certificate certs/ca.crt;
ssl_verify_client on;
使用上面生成的客户端证书用postman测试API效果很好。到目前为止一切都很好。我们创建了一个swagger-ui,它提供了直接从浏览器进行测试的选项。但是这里的客户端身份验证不起作用。
[我尝试在Windows 10中将CA证书导入到Trusted CA存储中,并将客户端证书导入到Personal中,并尝试从Chrome和Edge进行测试,但是服务器使用400 No required SSL certificate was sent拒绝了呼叫。
添加openssl s_client -connect localhost:443的输出
CONNECTED(00000218)
depth=0 CN = *.lservices.eu
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = *.lservices.eu
verify error:num=21:unable to verify the first certificate
verify return:1
---
Certificate chain
0 s:/CN=*.lservices.eu
i:/CN=Lead Services
---
Server certificate
-----BEGIN CERTIFICATE-----
......certificate content removed ---
-----END CERTIFICATE-----
subject=/CN=*.lservices.eu
issuer=/CN=Lead Services
---
Acceptable client certificate CA names
/CN=Lead Services
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:0x07+0x08:0x08+0x08:0x09+0x08:0x0A+0x08:0x0B+0x08:0x04+0x08:0x05+0x08:0x06+0x08:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:ECDSA+SHA1:RSA+SHA224:RSA+SHA1:DSA+SHA224:DSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 2245 bytes and written 455 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: C2A281888B9899B68D6734DBDACE351F7975709F887FDD1EC011419D25F67B36
Session-ID-ctx:
Master-Key: CE307DF955A22CA2F901E95078DDEFF5AB8668B4789B7979504DC054E1DA8400B244B10C825DB899F713BE9E3665C63A
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 300 (seconds)
TLS session ticket:
0000 - 5c 99 a8 3c e8 e4 c2 f3-ce 19 db fd c7 35 4f f0 \..<.........5O.
0010 - 80 6f b7 59 19 c6 50 9c-c1 ad 2c 5c 06 30 94 05 .o.Y..P...,\.0..
0020 - 95 02 2b af 80 07 c4 0b-fd b2 64 a3 7c 2b d7 91 ..+.......d.|+..
0030 - 33 d0 65 3a 47 23 2c 07-6a c6 62 7f 90 bb 75 50 3.e:G#,.j.b...uP
0040 - 18 35 ae 08 38 59 ec 59-9c 6e 77 69 40 16 49 46 [email protected]
0050 - ce 5f b8 35 88 e1 d9 7a-6b e5 21 db 30 83 c0 b8 ._.5...zk.!.0...
0060 - 72 37 91 d9 ce e4 e8 d4-88 e0 b0 10 2c cc c2 c6 r7..........,...
0070 - ac 39 da 68 de cb 92 be-6c 61 77 cc cd 10 0b 47 .9.h....law....G
0080 - ae 0b 97 40 0b 41 46 98-5b fe 1e 17 a2 40 4a 2a [email protected].[....@J*
0090 - c8 d1 02 2e 3e 73 df 8e-ac 5c 3e 85 54 a2 ee 68 ....>s...\>.T..h
00a0 - 05 3f 76 2f 5a e4 36 dc-c4 1b c2 f1 81 70 b3 63 .?v/Z.6......p.c
Start Time: 1577357945
Timeout : 300 (sec)
Verify return code: 21 (unable to verify the first certificate)
---
我如何使它起作用?对于无法像这样使用的自签名证书是否有任何限制?任何帮助表示赞赏!
通常:
1。)验证服务器是否接受来自您的CA的客户端证书。从以下位置检查Acceptable client certificate CA:
openssl s_client -connect <server:tls-port>
2。)验证导入的个人证书是否符合1)Acceptable client certificate CA中的要求。
尚不清楚您是如何创建client.csr的-可能存在问题。希望您使用了其他密钥。