默认情况下ssl模块并未被安装,如果要使用该模块则需要在编译时指定–with-http_ssl_module参数,安装模块依赖于OpenSSL库和一些引用文件,通常这些文件并不在同一个软件包中。通常这个文件名类似libssl-dev。
1、创建私钥
openssl genrsa -des3 -out niubiyuming.key 1024
2、创建签名请求的证书(CSR):
openssl req -new -key niubiyuming.key -out niubiyuming.csr
3、创建Nginx证书key
cp niubiyuming.key niubiyuming.key.org
openssl rsa -in niubiyuming.key.org -out niubiyuming.key
4、配置nginx
server {
listen 80;
server_name _;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.jsp;
#location ~ { }
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}
server {
listen 443;
server_name www.xxxx.com;
ssl on;
ssl_certificate /data/zs/nginx/niubiyuming.crt;
ssl_certificate_key /data/zs/nginx/niubiyuming.key;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.jsp;
#location ~ {}
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}
5、访问测试:
https://www.xxxx.com
http://www.xxxx.com
6、证书相关信息
Country Name (2 letter code) [XX]:CN #国家地区
State or Province Name (full name) []:zhejiang #城市
Locality Name (eg, city) [Default City]:hangzhou #当地名称
Organization Name (eg, company) [Default Company Ltd]: niubiyuming #组织名称
Organizational Unit Name (eg, section) []:IT #组织部门名称
Common Name (eg, your name or your server's hostname) []:www.xxxx.com #通用名称(例如,您的姓名或您的服务器的主机名),随便写
Email Address []:jinda@51nbapi.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request #添加一个“额外”的属性,让客户端发送CA证书,请求文件时,要输入的密
A challenge password []: #直接加车
An optional company name []:#直接加车
Using configuration from /etc/pki/tls/openssl.cnf #CA服务器的配置文件。上面修改的内容会添加到这个配置文件中
Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 #输入刚才保护CA密钥的密码
7、第三方证书处理:
工具: https://csr.chinassl.net/keytool-commands.html
https://www.startssl.com/
###### openssl req -newkey rsa:2048 -keyout yourname.key -out yourname.csr
###### openssl req -new -key yourname.key -out 第三方证书名称.csr
###### cp yourname.key yourname.key.org
###### openssl rsa -in yourname.key.org -out yourname.key
8、第三方证书处理2:
1)生成keystore文件 : keytool -genkey -alias www.XXX.com -keyalg RSA -keystore XXX.keystore -keysize 2048
2) 生成CSR文件 : keytool -certreq -keyalg RSA -alias www.XXX.com -file XXXcertreq.csr -keystore XXX.keystore
CSR文件提交给发证机构,最后得到一个证书。
3) 生成key文件 : java ExportPriv XXX.keystore www.XXX.com 密码
这样可以得到 key ,把key保存为 XXX.key文件即可。
9、JAVA-exportpriv
Base64Coder class
// Copyright 2003-2010 Christian d'Heureuse, Inventec Informatik AG, Zurich, Switzerland
// www.source-code.biz, www.inventec.ch/chdh
//
// This module is multi-licensed and may be used under the terms
// of any of the following licenses:
//
// EPL, Eclipse Public License, V1.0 or later, http://www.eclipse.org/legal
// LGPL, GNU Lesser General Public License, V2.1 or later, http://www.gnu.org/licenses/lgpl.html
// GPL, GNU General Public License, V2 or later, http://www.gnu.org/licenses/gpl.html
// AL, Apache License, V2.0 or later, http://www.apache.org/licenses
// BSD, BSD License, http://www.opensource.org/licenses/bsd-license.php
// MIT, MIT License, http://www.opensource.org/licenses/MIT
//
// Please contact the author if you need another license.
// This module is provided "as is", without warranties of any kind.
//package base64Coder;
/**
* A Base64 encoder/decoder.
*
* <p>
* This class is used to encode and decode data in Base64 format as described in RFC 1521.
*
* <p>
* Project home page: <a href="http://www.source-code.biz/base64coder/java/">www.source-code.biz/base64coder/java</a><br>
* Author: Christian d'Heureuse, Inventec Informatik AG, Zurich, Switzerland<br>
* Multi-licensed: EPL / LGPL / GPL / AL / BSD / MIT.
*/
public class Base64Coder {
// The line separator string of the operating system.
private static final String systemLineSeparator = System.getProperty("line.separator");
// Mapping table from 6-bit nibbles to Base64 characters.
private static final char[] map1 = new char[64];
static {
int i=0;
for (char c='A'; c<='Z'; c++) map1[i++] = c;
for (char c='a'; c<='z'; c++) map1[i++] = c;
for (char c='0'; c<='9'; c++) map1[i++] = c;
map1[i++] = '+'; map1[i++] = '/'; }
// Mapping table from Base64 characters to 6-bit nibbles.
private static final byte[] map2 = new byte[128];
static {
for (int i=0; i<map2.length; i++) map2[i] = -1;
for (int i=0; i<64; i++) map2[map1[i]] = (byte)i; }
/**
* Encodes a string into Base64 format.
* No blanks or line breaks are inserted.
* @param s A String to be encoded.
* @return A String containing the Base64 encoded data.
*/
public static String encodeString (String s) {
return new String(encode(s.getBytes())); }
/**
* Encodes a byte array into Base 64 format and breaks the output into lines of 76 characters.
* This method is compatible with <code>sun.misc.BASE64Encoder.encodeBuffer(byte[])</code>.
* @param in An array containing the data bytes to be encoded.
* @return A String containing the Base64 encoded data, broken into lines.
*/
public static String encodeLines (byte[] in) {
return encodeLines(in, 0, in.length, 76, systemLineSeparator); }
/**
* Encodes a byte array into Base 64 format and breaks the output into lines.
* @param in An array containing the data bytes to be encoded.
* @param iOff Offset of the first byte in <code>in</code> to be processed.
* @param iLen Number of bytes to be processed in <code>in</code>, starting at <code>iOff</code>.
* @param lineLen Line length for the output data. Should be a multiple of 4.
* @param lineSeparator The line separator to be used to separate the output lines.
* @return A String containing the Base64 encoded data, broken into lines.
*/
public static String encodeLines (byte[] in, int iOff, int iLen, int lineLen, String lineSeparator) {
int blockLen = (lineLen*3) / 4;
if (blockLen <= 0) throw new IllegalArgumentException();
int lines = (iLen+blockLen-1) / blockLen;
int bufLen = ((iLen+2)/3)*4 + lines*lineSeparator.length();
StringBuilder buf = new StringBuilder(bufLen);
int ip = 0;
while (ip < iLen) {
int l = Math.min(iLen-ip, blockLen);
buf.append (encode(in, iOff+ip, l));
buf.append (lineSeparator);
ip += l; }
return buf.toString(); }
/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in An array containing the data bytes to be encoded.
* @return A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in) {
return encode(in, 0, in.length); }
/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in An array containing the data bytes to be encoded.
* @param iLen Number of bytes to process in <code>in</code>.
* @return A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in, int iLen) {
return encode(in, 0, iLen); }
/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in An array containing the data bytes to be encoded.
* @param iOff Offset of the first byte in <code>in</code> to be processed.
* @param iLen Number of bytes to process in <code>in</code>, starting at <code>iOff</code>.
* @return A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in, int iOff, int iLen) {
int oDataLen = (iLen*4+2)/3; // output length without padding
int oLen = ((iLen+2)/3)*4; // output length including padding
char[] out = new char[oLen];
int ip = iOff;
int iEnd = iOff + iLen;
int op = 0;
while (ip < iEnd) {
int i0 = in[ip++] & 0xff;
int i1 = ip < iEnd ? in[ip++] & 0xff : 0;
int i2 = ip < iEnd ? in[ip++] & 0xff : 0;
int o0 = i0 >>> 2;
int o1 = ((i0 & 3) << 4) | (i1 >>> 4);
int o2 = ((i1 & 0xf) << 2) | (i2 >>> 6);
int o3 = i2 & 0x3F;
out[op++] = map1[o0];
out[op++] = map1[o1];
out[op] = op < oDataLen ? map1[o2] : '='; op++;
out[op] = op < oDataLen ? map1[o3] : '='; op++; }
return out; }
/**
* Decodes a string from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param s A Base64 String to be decoded.
* @return A String containing the decoded data.
* @throws IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static String decodeString (String s) {
return new String(decode(s)); }
/**
* Decodes a byte array from Base64 format and ignores line separators, tabs and blanks.
* CR, LF, Tab and Space characters are ignored in the input data.
* This method is compatible with <code>sun.misc.BASE64Decoder.decodeBuffer(String)</code>.
* @param s A Base64 String to be decoded.
* @return An array containing the decoded data bytes.
* @throws IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decodeLines (String s) {
char[] buf = new char[s.length()];
int p = 0;
for (int ip = 0; ip < s.length(); ip++) {
char c = s.charAt(ip);
if (c != ' ' && c != '\r' && c != '\n' && c != '\t')
buf[p++] = c; }
return decode(buf, 0, p); }
/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param s A Base64 String to be decoded.
* @return An array containing the decoded data bytes.
* @throws IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (String s) {
return decode(s.toCharArray()); }
/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param in A character array containing the Base64 encoded data.
* @return An array containing the decoded data bytes.
* @throws IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (char[] in) {
return decode(in, 0, in.length); }
/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param in A character array containing the Base64 encoded data.
* @param iOff Offset of the first character in <code>in</code> to be processed.
* @param iLen Number of characters to process in <code>in</code>, starting at <code>iOff</code>.
* @return An array containing the decoded data bytes.
* @throws IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (char[] in, int iOff, int iLen) {
if (iLen%4 != 0) throw new IllegalArgumentException ("Length of Base64 encoded input string is not a multiple of 4.");
while (iLen > 0 && in[iOff+iLen-1] == '=') iLen--;
int oLen = (iLen*3) / 4;
byte[] out = new byte[oLen];
int ip = iOff;
int iEnd = iOff + iLen;
int op = 0;
while (ip < iEnd) {
int i0 = in[ip++];
int i1 = in[ip++];
int i2 = ip < iEnd ? in[ip++] : 'A';
int i3 = ip < iEnd ? in[ip++] : 'A';
if (i0 > 127 || i1 > 127 || i2 > 127 || i3 > 127)
throw new IllegalArgumentException ("Illegal character in Base64 encoded data.");
int b0 = map2[i0];
int b1 = map2[i1];
int b2 = map2[i2];
int b3 = map2[i3];
if (b0 < 0 || b1 < 0 || b2 < 0 || b3 < 0)
throw new IllegalArgumentException ("Illegal character in Base64 encoded data.");
int o0 = ( b0 <<2) | (b1>>>4);
int o1 = ((b1 & 0xf)<<4) | (b2>>>2);
int o2 = ((b2 & 3)<<6) | b3;
out[op++] = (byte)o0;
if (op<oLen) out[op++] = (byte)o1;
if (op<oLen) out[op++] = (byte)o2; }
return out; }
// Dummy constructor.
private Base64Coder() {}
} // end class Base64Coder
ExportPriv Class:
// How to export the private key from keystore?
// Does keytool not have an option to do so?
// This example use the "testkeys" file that comes with JSSE 1.0.3
// Alexey Zilber: Ported to work with Base64Coder: http://www.source-code.biz/snippets/java/2.htm
// $Id: ExportPriv.java 10 2011-09-30 17:28:32Z mark@g.foster.cc $
// $URL: https://java-exportpriv.googlecode.com/svn/trunk/ExportPriv.java $
import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
import java.util.Vector;
class ExportPriv {
public static void main(String args[]) throws Exception{
if (args.length < 2) {
//Yes I know this sucks (the password is visible to other users via ps
// but this was a quick-n-dirty fix to export from a keystore to pkcs12
// someday I may fix, but for now it'll have to do.
System.err.println("Usage: java ExportPriv <keystore> <alias> <password>");
System.exit(1);
}
ExportPriv myep = new ExportPriv();
// System.out.println("Args: " + args[0] + " " + args[1] + " " + args[2]);
myep.doit(args[0], args[1], args[2]);
}
public void doit(String fileName, String aliasName, String pass) throws Exception{
KeyStore ks = KeyStore.getInstance("JKS");
char[] passPhrase = pass.toCharArray();
//BASE64Encoder myB64 = new BASE64Encoder();
File certificateFile = new File(fileName);
// System.out.println("certificateFile: " + certificateFile);
ks.load(new FileInputStream(certificateFile), passPhrase);
// System.out.println("ks: " + ks);
// for(String a : ks.aliases()) {
// System.out.println("alias: " + a);
// }
KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);
// System.out.println("kp: " + kp);
PrivateKey privKey = kp.getPrivate();
char[] b64 = Base64Coder.encode(privKey.getEncoded());
System.out.println("-----BEGIN PRIVATE KEY-----");
for (String subSeq : splitArray(b64, 64)) {
System.out.println(subSeq.toCharArray());
}
System.out.println("-----END PRIVATE KEY-----");
}
// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html
public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
try {
// Get private key
Key key = keystore.getKey(alias, password);
if (key instanceof PrivateKey) {
// Get certificate of public key
Certificate cert = keystore.getCertificate(alias);
// Get public key
PublicKey publicKey = cert.getPublicKey();
// Return a key pair
return new KeyPair(publicKey, (PrivateKey)key);
}
} catch (UnrecoverableKeyException e) {
} catch (NoSuchAlgorithmException e) {
} catch (KeyStoreException e) {
}
return null;
}
private Vector<String> splitArray(char[] chry, int subarrLen) {
Vector<String> result = new Vector<String>();
String input = new String(chry);
int i = 0;
while (i < chry.length) {
result.add(input.substring(i, Math.min(input.length(), i + subarrLen)));
i = i + subarrLen;
}
return result;
}
}