目录
1、用 CA 私钥签发 nginx 的数字证书: nginx.crt
2、创建不需要输入密码的RSA证书,否则Nginx每次reload、restart都需要输入密码
HTTPS相关介绍:HTTPS相关介绍_孟孟的博客-CSDN博客
一、生成 CA 私钥
1、生成一个 CA 私钥: ca.key
mkdir /home/nginx/ssl
cd /home/nginx/ssl
openssl genrsa -out ca.key 4096
二、生成CA 的数字证书
1、生成一个 CA 的数字证书: ca.crt
openssl req -new -x509 -days 365 -key ca.key -out ca.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Team
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:Certificate Authority
Email Address []:
三、生成 server 端数字证书请求
1、生成 nginx 端的私钥: nginx.key
openssl genrsa -des3 -out nginx.key 4096
2、生成 nginx 端数字证书请求: nginx.csr
openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:BJ
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Meng
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:IP 或 域名 (必填)
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意:由于使用ip地址访问的,所以Common Name,输入ip即可;如果使用域名访问,那么这一步,必须是域名才行!
四、用 CA 私钥签发 server 的数字证书
1、用 CA 私钥签发 nginx 的数字证书: nginx.crt
openssl x509 -req -in nginx.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out nginx.crt -days 365
2、创建不需要输入密码的RSA证书,否则Nginx每次reload、restart都需要输入密码
openssl rsa -in nginx.key -out nginx_nopass.key
生成的相关文件:
不使用ca生成:
1.生成一个RSA密钥
openssl genrsa -des3 -out nginx.key 4096
2.生成一个证书请求
openssl req -new -key nginx.key -out nginx.csr
CN BJ BJ G G 221.0.111.131
3.创建不需要输入密码的RSA证书,否则每次reload、restart都需要输入密码
openssl rsa -in nginx.key -out nginx_nopass.key
4.签发证书(由于是测试自己签发,实际应该将自己生成的csr文件提交给SSL认证机构认证)
openssl x509 -req -days 365 -in nginx.csr -signkey nginx.key -out nginx.crt
五、配置nginx
server {
listen 8600 ssl;
server_name localhost;
ssl_certificate /home/nginx/ssl/nginx.crt;
ssl_certificate_key /home/nginx/ssl/nginx_nopass.key;
#ssl_client_certificate /home/nginx/ssl/ca.crt; #双向认证
#ssl_verify_client on; #双向认证
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!3DES:!aNULL:!MD5:!ADH:!RC4; # 选择加密套件
ssl_prefer_server_ciphers on; # 设置协商加密算法时,优先使用我们服务端的加密套件,而不是客户端浏览器的加密套件。
location / {
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://localhost:8601;
}
}
六、linux测试
1、curl测试
curl --cacert ca.crt --cert nginx.crt --key nginx.key --tlsv1.2 https://IP:端口号
2、把证书加到客户端 linux 证书信任列表
cat ca.crt >> /etc/pki/tls/certs/ca-bundle.crt
linux 访问 https 证书问题:
curl: (60) Peer's Certificate issuer is not recognized.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.