我已经生成了如下所示的证书:
Root-CA -> Intermediate-CA -> Server
Root-CA:
rootca.key
rootca.crt
rootca.crl
Intermediate-CA:
intermediateca.key
intermediateca.crt
intermediateca.crl
Server:
server.key
server.crt
此处的Root-CA签名为Root-CA自签名证书。
然后,Intermediate-CA由Root-CA和Server签字人签字Intermediate-CA
以上所有文件均位于confs文件夹中
Nginx 配置:
server {
listen 443 ssl;
listen [::]:443 SSL;
server_name www.example.com;
ssl_certificate /home/user/confs/?;
ssl_certificate_key /home/user/confs/?;
ssl_ocsp on;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate /home/user/confs/?;
ssl_crl /home/user/confs/?;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/user/confs/?;
}
哪些文件将位于 中?。有人能帮我配置 Nginx 吗?谢谢您的时间。
答案1
尝试:
server {
listen 443 ssl;
listen [::]:443 SSL;
server_name www.example.com;
ssl_certificate /home/user/confs/server_chain.crt;
ssl_certificate_key /home/user/confs/server.key;
ssl_ocsp on;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_client_certificate /home/user/confs/rootca.crt;
ssl_crl /home/user/confs/intermediateca.crl;
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /home/user/confs/rootca.crt;
}
其中是和(服务器位于文件顶部)server_chain.pem的连接。server.crtintermediateca.crt
ssl_client_certificate并且ssl_trusted_certificate相互排斥。更多信息这里。
ssl_crl假设intermediateca.crl这个中级 CA 正在颁发客户端证书。