对称加密
非对称加密
HTTPS加密原理
生成证书key秘钥
root@ubuntu-128:/etc/nginx/ssl_key2# openssl genrsa -idea -out jack.key 1024
usage: genrsa [args] [numbits]
-des encrypt the generated key with DES in cbc mode
-des3 encrypt the generated key with DES in ede cbc mode (168 bit key)
-seed
encrypt PEM output with cbc seed
-aes128, -aes192, -aes256
encrypt PEM output with cbc aes
-camellia128, -camellia192, -camellia256
encrypt PEM output with cbc camellia
-out file output the key to 'file
-passout arg output file pass phrase source
-f4 use F4 (0x10001) for the E value
-3 use 3 for the E value
-engine e use engine e, possibly a hardware device.
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
root@ubuntu-128:/etc/nginx/ssl_key2# openssl genrsa -out jack.key 1024
Generating RSA private key, 1024 bit long modulus
..............................................................++++++
......................++++++
e is 65537 (0x10001)
生成证书签名请求文件
root@ubuntu-128:/etc/nginx/ssl_key2# openssl req -new -key jack.key -out jack.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:zhejiang
Locality Name (eg, city) []:hangzhou
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ailibaba
Organizational Unit Name (eg, section) []:alibaba
Common Name (e.g. server FQDN or YOUR name) []:alibaba
Email Address []:666@163.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:666666
An optional company name []:alibaba
root@ubuntu-128:/etc/nginx/ssl_key2# ll
总用量 16
drwxr-xr-x 2 root root 4096 9月 1 20:42 ./
drwxr-xr-x 6 root root 4096 9月 1 20:39 ../
-rw-r--r-- 1 root root 761 9月 1 20:42 jack.csr
-rw-r--r-- 1 root root 887 9月 1 20:41 jack.key
生成证书签名文件
root@ubuntu-128:/etc/nginx/ssl_key2# openssl x509 -req -days 3650 -in jack.csr -signkey jack.key -out jack.crt
Signature ok
subject=/C=CN/ST=zhejiang/L=hangzhou/O=ailibaba/OU=alibaba/CN=alibaba/emailAddress=666@163.com
Getting Private key
root@ubuntu-128:/etc/nginx/ssl_key2# ls
jack.crt jack.csr jack.key
nginx配置文件
server {
listen 443;
server_name 192.168.13.128;
ssl on;
ssl_certificate /etc/nginx/ssl_key2/jack.crt;
ssl_certificate_key /etc/nginx/ssl_key2/jack.key;
location / {
root /opt/app/code;
try_files /cache $uri @java_page;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 404 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
重启nginx并测试
root@ubuntu-128:/etc/nginx/conf.d# nginx -s reload
查看证书详细信息