クライアント証明書を要求するサイトの構築(nginx)


  • debian9にて実施

参考

1. openssl.cnfの準備

  • 入力が大変なので、共通の設定はopenssl.cnfに書いておく。
mkdir /opt/demoCA
cd /opt/demoCA
cp -a /etc/ssl/openssl.cnf .
/opt/demoCA/openssl.cnf
-dir            = ./demoCA              # Where everything is kept
+dir            = /opt/demoCA           # Where everything is kept
 certs          = $dir/certs            # Where the issued certs are kept
 crl_dir                = $dir/crl              # Where the issued crl are kept
 database       = $dir/index.txt        # database index file.
@@ -70,7 +70,7 @@
 # crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions       = crl_ext

-default_days   = 365                   # how long to certify for
+default_days   = 3650                  # how long to certify for
 default_crl_days= 30                   # how long before next CRL
 default_md     = default               # use public key default MD
 preserve       = no                    # keep passed DN ordering
@@ -126,17 +126,17 @@

 [ req_distinguished_name ]
 countryName                    = Country Name (2 letter code)
-countryName_default            = AU
+countryName_default            = JP
 countryName_min                        = 2
 countryName_max                        = 2

 stateOrProvinceName            = State or Province Name (full name)
-stateOrProvinceName_default    = Some-State
+stateOrProvinceName_default    = Tokyo

 localityName                   = Locality Name (eg, city)

 0.organizationName             = Organization Name (eg, company)
-0.organizationName_default     = Internet Widgits Pty Ltd
+0.organizationName_default     = mycompany.jp

 # we can do this but it is not needed normally :-)
 #1.organizationName            = Second Organization Name (eg, company)

2. 認証局(CA)の作成

openssl  genrsa  -out cakey.pem   2048
# Common Name : サーバーの名前を入力すること
openssl req -config openssl.cnf -new -x509 -key cakey.pem \
     -out cacert.pem

3. サーバー証明書の作成

openssl  genrsa  -out  private.pem  2048
# Common Name : サーバーの名前を入力すること
openssl req -config openssl.cnf -new -key private.pem -out newreq.pem

署名

mkdir private newcerts
mv cakey.pem private/
openssl ca -config openssl.cnf -policy policy_anything \
    -out cert.pem -in newreq.pem
nginx用に結合
cat  cert.pem  cacert.pem  >  allcert.pem

4. nginx設定

/etc/nginx/sites-enabled/default
# httpの設定
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        ...
}

# httpsの設定
server {
        listen 443 ssl;
        ssl_certificate /opt/demoCA/allcert.pem;
        ssl_certificate_key /opt/demoCA/private.pem;

        root /srv/www/html;
        charset   utf-8;

        index index.html index.htm index.nginx-debian.html index.php;
        server_name _;
        location / {
                try_files $uri $uri/ =404;
                autoindex on;
        }
        # phpの設定
        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/var/run/php/php7.0-fpm.sock;
        }
        # ssl証明書がないと閲覧できないようにする
        ssl_verify_client on;
        ssl_client_certificate /opt/demoCA/cacert.pem;
}
syntaxチェック
nginx -t -c /etc/nginx/nginx.conf
/etc/init.d/nginx restart

5. クライアントに配布用の証明書

openssl  genrsa  -out  client_private.pem  2048
# Common Name : ユーザー名を指定
openssl req -config openssl.cnf -new -key client_private.pem -out newreq.pem
cat private.pem cert.pem cacert.pem \
| openssl pkcs12 -export -out client.p12 -name "client key"
  • client.p12を配布し、https://サーバーのIP/にアクセスできることを確認。