Configuring Mutual Authentication with NGINX

Last updated: 2020-05-14 18:41:37

    Configuration Process for Nginx HTTPS Mutual Authentication

    This document uses the third-party developer domain name http://www.example.com as an example. The following two cases may arise:

    • The third-party developer already has a certificate issued by an authoritative third party.

      • The developer prepares the certificate www.example.com.crt issued by and the private key www.example.com.key assigned by the authoritative third party for www.example.com. Note that the certificate must be issued by an authoritative third party, such as Topway or GlobalSign.
      • IM provides the developer backend with a CA certificate TencentQQAuthCA.crt, which is used to verify the certificate of the requesting party (IM).
      • Configure by referring to the Reference for Nginx HTTPS Mutual Authentication Configuration below.
    • The third-party developer sends an application to IM, requesting IM to issue a certificate for its domain name.

      • The developer configures the callback URL, such as www.example.com, in the console.
      • IM issues the certificate www.example.com.crt and assigns the private key www.example.com.key to the developer with the domain name www.example.com. The developer can download the certificate from the console.
      • IM provides the developer backend with a CA certificate TencentQQAuthCA.crt, which is used to verify the certificate of the requesting party (IM).
      • Perform configuration by referring to the Reference for Nginx HTTPS Mutual Authentication Configuration below.

    Reference for Nginx HTTPS Mutual Authentication Configuration

    1. Copy www.example.com.crt, www.example.com.key, and TencentQQAuthCA.crt to the conf folder under the Nginx installation directory.
    2. Modify the nginx.conf file. The reference configuration is as follows:
      server {
       listen 443 ssl;
       ssl_protocols TLSv1 TLSv1.1;
       server_name            www.example.com; # Domain name
       ssl_certificate        www.example.com.crt; # Certificate issued by Tencent to the third party
       ssl_certificate_key    www.example.com.key; # Private key paired with the certificate
       ssl_verify_client on; # Verify the request source
       ssl_client_certificate TencentQQAuthCA.crt; # CA certificate authenticated by Tencent
       location / {
           root   html;
           index  index.html index.htm;
       }
      }

    Was this page helpful?

    Was this page helpful?

    • Not at all
    • Not very helpful
    • Somewhat helpful
    • Very helpful
    • Extremely helpful
    Send Feedback
    Help