nginx 配置

Nginx 配置使用pem 格式 证书
1、ssl_certificate 配置服务器证书
2、ssl_certificate_key配置服务器私钥
3、ssl_client_certificate 配置 颁发证书的CA机构的 根证书+中间证书

    # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;


        ssl_certificate      /opt/homebrew/etc/nginx/certs/devops-certs/devops.pem;  #server公钥证书 双向认证的时候  Server公钥+中间证书+根证书
        ssl_certificate_key  /opt/homebrew/etc/nginx/certs/devops-certs/server-pem.pem;  #server私钥
        ssl_client_certificate /opt/homebrew/etc/nginx/certs/devops-certs/devops-chain.pem;  #根证书+中间证书，可以验证所有它颁发的客户端证书

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_verify_client on; #双向认证
        ssl_verify_depth 3; #指定双向认证客户端证书到根证书的深度，默认是1

        #ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        #ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
    include servers/*;
}

验证

本地配置host

127.0.0.1 devops.xxx.com

证书配置泛域名和IP

[ alt_names ]
DNS.1 = *.xxx.com
DNS.2 = *.xxx-inc.com
DNS.3 = *.api.xxx.com
DNS.4 = *.devops.xxx-inc.com
DNS.5 = *.secure-dev.xxx-inc.com
IP.1 = 1xx.xxx.xxx.155

curl   --insecure   --key   /opt/homebrew/etc/nginx/certs/devops-certs/secure-server.key  --cert  /opt/homebrew/etc/nginx/certs/devops-certs/secure.crt    -v https://devops.xxx.com

验证命令

curl  --insecure   --key   /Users/huyanbing/Documents/工作资料/2023年/证书操作/服务器证书/国际/secure/证书/chain/server.key  --cert-type pem  --cacert  /Users/huyanbing/Documents/工作资料/2023年/证书操作/服务器证书/国际/secure/证书/chain/client-chain-list.pem  --cert  /Users/huyanbing/Documents/工作资料/2023年/证书操作/服务器证书/国际/secure/证书/chain/secure.pem    -v https://tsp-dmn-gw-test01.api.deepway.com/dispatcher/iov-hub/v1/ip

  # HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  ota-cdn.deepway.com tsp-dmn-gw-test01.api.deepway.com;


        ssl_certificate      /opt/homebrew/etc/nginx/certs/ota-cdn/ota-cdn-sign-chain-list.pem;  #server公钥证书 双向认证的时候  Server公钥+中间证书+根证书
        ssl_certificate_key  /opt/homebrew/etc/nginx/certs/ota-cdn/server.pem;  #server私钥
        ssl_client_certificate /opt/homebrew/etc/nginx/certs/ota-cdn/client-chain-list.pem;  #根证书+中间证书，可以验证所有它颁发的客户端证书

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;
        ssl_verify_client on; #双向认证
        ssl_verify_depth 3; #指定双向认证客户端证书到根证书的深度，默认是1

        #ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;
        #ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!DH:!DHE;
        #ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
    include servers/*;

ota-cdn-sign-chain-list.pem 内容为： Server公钥+中间证书+根证书

注意 Server公钥一定要放第一位 不然 server私钥会验证不通过。