- CA生成一对密钥
[root@node01-Linux ~]# cd /etc/pki/CA
[root@node01-Linux CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
[root@node01-Linux CA]# openssl rsa -in private/cakey.pem -puboutwriting RSA key
- CA生成自签署证书
[root@node01-Linux CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:10063607@qq.com
[root@node01-Linux CA]# ls
cacert.pem certs crl newcerts private
[root@node01-Linux CA]# touch index.txt && echo 01 > serial
- 客户端生成密钥
[root@node01-Linux ~]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus
.......................................................+++
................+++
e is 65537 (0x10001)
[root@node01-Linux ~]# ls
anaconda-ks.cfg httpd.key
- 客户端生成证书签署请求
[root@node01-Linux ~]# openssl req -new -key httpd.key -days 365 -out httpd.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:www.a.com
Organizational Unit Name (eg, section) []:www.a.com
Common Name (eg, your name or your server's hostname) []:www.a.com
Email Address []:10063607@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@node01-Linux ~]# ls
anaconda-ks.cfg httpd.csr httpd.key
- CA签署客户端提交上来的证书
[root@node01-Linux ~]# openssl ca -in /root/httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Aug 12 02:12:47 2020 GMT
Not After : Aug 12 02:12:47 2021 GMT
Subject:
countryName = CN
stateOrProvinceName = HB
organizationName = www.a.com
organizationalUnitName = www.a.com
commonName = www.a.com
emailAddress = 10063607@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
70:E6:88:B6:F2:50:9A:AD:1A:18:DF:4E:5F:09:AF:E1:BB:29:49:8D
X509v3 Authority Key Identifier:
keyid:84:CD:31:2B:84:1A:74:E8:39:72:58:55:34:21:4C:9B:0B:3F:14:47
Certificate is to be certified until Aug 12 02:12:47 2021 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@node01-Linux ~]# ls
anaconda-ks.cfg httpd.crt httpd.csr httpd.key
[root@node01-Linux ~]# mkdir /usr/local/nginx/ssl
[root@node01-Linux ~]# mv httpd.* /usr/local/nginx/ssl/
- 配置nginx主配置文件中配置https
[root@node01-Linux ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/httpd.crt; //指定路径
ssl_certificate_key /usr/local/nginx/ssl/httpd.key; //指定路径
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
//将内容注释取消掉
验证