本节介绍了如何在 NSX Advanced Load Balancer 上启用客户端证书身份验证。如果启用了客户端证书身份验证,NSX Advanced Load Balancer 根据受信任的证书颁发机构和配置的客户端吊销列表 (CRL) 验证客户端提供的 SSL 证书。
生成密钥和证书
要创建密钥和证书目录,请执行以下步骤:
登录到 NSX Advanced Load Balancer CLI。
使用以下
mkdir
命令创建一个存储目录。执行客户端身份验证所需的密钥和证书。
使用
cd
命令访问该目录。
$ mkdir client-cert-auth-demo $ cd client-cert-auth-demo [client-cert-auth-demo] $
要生成客户端证书 (CA) 密钥,请使用 openssl genrsa -out CA.key 2048
命令生成具有 2048 位加密的自签名 CA 证书。
[client-cert-auth-demo] $ openssl genrsa -out CA.key 2048 Generating RSA private key, 2048 bit long modulus ......................................................................+++ e is 65537 (0x10001) Generate self-signed CA Cert: [client-cert-auth-demo] $ openssl req -x509 -new -nodes -key CA.key -sha256 -days 1024 -out CA.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:demo.avi.com Email Address []:
注:
将电子邮件地址留空。
要生成客户端证书签名请求,请执行以下步骤:
使用
openssl genrsa -out client.key 2048
命令生成client.key
。使用
openssl req -new -key client.key -out client.csr
命令创建客户端 CSR。根据要求,指定所有详细信息。
注:
公用名称必须与客户端计算机的主机名或 FQDN 匹配。
将电子邮件地址、质询密码和可选的公司名称保留空白。
Generate client CSR: [client-cert-auth-demo] $ openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:US State or Province Name (full name) []:California Locality Name (eg, city) [Default City]:Santa Clara Organization Name (eg, company) [Default Company Ltd]:Avi Networks Organizational Unit Name (eg, section) []:Engineering Common Name (eg, your name or your server's hostname) []:client.avi.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
要创建签名的客户端证书,请使用以下 OpenSSL 命令创建签名的客户端证书。
[client-cert-auth-demo] $ openssl x509 -req -in client.csr -CA CA.pem -CAkey CA.key -CAcreateserial - out client.pem -days 1024 -sha256 Signature ok subject=/C=US/ST=California/L=Santa Clara/O=Avi Networks/OU=Engineering/CN=client.avi.com Getting CA Private Key
要将客户端密钥从 PEM 转换为 PKCS12 (PFX),请使用 OpenSSL 命令将客户端密钥格式从 PEM 转换为 PKCS12。提供导出密码。
[client-cert-auth-demo] $ openssl pkcs12 -export -out client.pfx -inkey client.key -in client.pem -certfile CA.pem Enter Export Password: Verifying - Enter Export Password: