基于nginx结合openssl实现https

萝らか妹 提交于 2019-11-30 02:52:02

在做之前需要将nginx建好,保证端口打开

一、检查openssl是否安装

[root@localhost ~]# rpm -qa openssl
openssl-1.0.2k-16.el7_6.1.x86_64

二、创建根证书CA

1、生成CA私钥

复制代码
[root@localhost openssl]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..............................................................................+++
e is 65537 (0x10001)
[root@localhost openssl]# ls
local.key
复制代码

2、生成CA证书请求

复制代码
[root@localhost openssl]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:China
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN   //国家
State or Province Name (full name) []:beijing   //省
Locality Name (eg, city) [Default City]:beijing  //城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test   //部门
Common Name (eg, your name or your server's hostname) []:test   //主机名
Email Address []:test@test.com   //邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tanxiao    //密码
An optional company name []:tanxiao   //公司名
[root@localhost openssl]# ls
local.csr  local.key
复制代码

3、生成CA根证书

这个生成CA证书的命令不容易搞懂
1.通过秘钥 生成证书请求文件
2.通过证书请求文件 生成最终的证书 
 -in 使用证书请求文件生成证书,-signkey 指定私钥
req:提供生成证书的请求文件,验证证书和创建根CA
-new:表示新生成一个证书请求
-x509:直接输出证书
-key:生成证书请求时用到的私钥文件
-out:输出文件
复制代码
[root@localhost openssl]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
复制代码

三、根据CA根证书创建server根证书

1、生成server私钥

[root@localhost openssl]# openssl genrsa -out my_server.key 2048 
Generating RSA private key, 2048 bit long modulus
..+++
....................................................+++
e is 65537 (0x10001)

2、生成server证书请求

复制代码
[root@localhost openssl]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tanxiao
An optional company name []:tanxiao
[root@localhost openssl]# ls
local.crt  local.csr  local.key  my_server.csr  my_server.key
复制代码

3、生成server证书

复制代码
[root@localhost openssl]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting CA Private Key
复制代码

四、配置nginx支持SSL(在配置nginx时必须安装ssl模块)

复制代码
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.confserver {
        listen       80;

        listen       443 default  ssl;
                keepalive_timeout 100;

                   ssl_certificate      /root/local.crt;
                   ssl_certificate_key  /root/local.key;

                        ssl_session_cache    shared:SSL:10m;
                        ssl_session_timeout  10m;

                   ssl_ciphers  HIGH:!aNULL:!MD5;
                   ssl_prefer_server_ciphers  on;


        server_name  localhost;

        charset utf-8;
}
复制代码

五、测试

 

 

 

 

https://www.cnblogs.com/tanxiaojuncom/

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!