nginx配置ssl双向验证的方法

1、安装nginx略

//www.iis7.com/article/49479.htm

2、使用openssl实现证书中心
由于是使用openssl架设私有证书中心，因此要保证以下字段在证书中心的证书、服务端证书、客户端证书中都相同
Country Name
State or Province Name
Locality Name
Organization Name
Organizational Unit Name

编辑证书中心配置文件
vim /etc/pki/tls/openssl.cnf

[ CA_default ]
dir             = /etc/pki/CA
certs           = $dir/certs            # Where the issued certs are kept
crl_dir         = $dir/crl              # Where the issued crl are kept
database        = $dir/index.txt        # database index file.
#unique_subject = no                    # Set to 'no' to allow creation of
                                       # several ctificates with same subject.
new_certs_dir   = $dir/newcerts         # default place for new certs.
certificate     = $dir/cacert.pem       # The CA certificate
serial          = $dir/serial           # The current serial number
crlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRL
crl             = $dir/crl.pem          # The current CRL
private_key     = $dir/private/cakey.pem# The private key
RANDFILE        = $dir/private/.rand    # private random number file

[ req_distinguished_name ]
countryName                     = Country Name(2 letter code)
countryName_default             = CN
countryName_min                 = 2
countryName_max                 = 2
stateOrProvinceName             = State or Province Name (full name)
stateOrProvinceName_default     = FJ
localityName                    = Locality Name (eg, city)
localityName_default            = FZ
0.organizationName              = Organization Name (eg, company)
0.organizationName_default      = zdz