自制ca证书和自签名证书配置nginx的ssl-单向ssl(一般都是单向)

自制ca证书和自签名证书配置nginx的ssl-单向ssl(一般都是单向)

1).生成CA根证书(相当于签名的CA机构)

[root@localhost ~]# mkdir /etc/pki/ca_test              #创建CA根证书的目录

[root@localhost ~]# cd /etc/pki/ca_test

[root@localhost ca_test]# mkdir root server newcerts     #创建几个相关的目录

[root@localhost ca_test]# ls

newcerts  root  server

[root@localhost ca_test]# echo 01 > serial              #定义序列号为01

[root@localhost ca_test]# echo 01 > crlnumber          #定义crl号为01

[root@localhost ca_test]# touch index.txt               #创建index.txt

[root@localhost ca_test]# ls

crlnumber  index.txt  newcerts  root  serial  server

[root@localhost ca_test]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak

[root@localhost ca_test]# vim /etc/pki/tls/openssl.cnf    #修改openssl相关配置文件

...

[ ca ]

default_ca      = CA_default                      #不变

[ CA_default ]                                    #不变

dir             = /etc/pki/ca_test                 #修改         

certs           = $dir/certs            

crl_dir          = $dir/crl                       

database       = $dir/index.txt  

new_certs_dir    = $dir/newcerts

certificate      = $dir/root/ca.crt                #修改，ca的证书文件存放位置定义

serial           = $dir/serial

crlnumber       = $dir/crlnumber

crl             = $dir/crl.pem

private_key     = $dir/root/ca.key             #修改，ca私钥文件存放位置定义

RANDFILE        = $dir/private/.rand

x509_extensions = usr_cert    

name_opt        = ca_default              #不变

cert_opt        = ca_default                #不变

default_days    = 365                   #期限365天

default_crl_days= 30

default_md      = sha256               #不变

preserve        = no                   #不变

生成ca的私钥：

[root@localhost ca_test]# openssl genrsa -out /etc/pki/ca_test/root/ca.key   #回车即可

[root@localhost ca_test]# ls /etc/pki/ca_test/root/

ca.key

生成请求文件：自己填写自己ca的相关信息

[root@localhost ca_test]# openssl req -new -key /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.csr #回车

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN                                #ca机构的国家

State or Province Name (full name) []:BJ                              #ca机构的省份

Locality Name (eg, city) [Default City]:BJ                              #ca机构的城市

Organization Name (eg, company) [Default Company Ltd]:catest         #ca机构的组织机构名称

Organizational Unit Name (eg, section) []:test                         #ca机构的部门

Common Name (eg, your name or your server's hostname) []:catest.com  #ca机构的域名  

Email Address []:catest@catest.com                                  #ca机构的邮箱

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456                                    #ca机构的随机密码

An optional company name []:testlinux                              #可以和上面的不一样

[root@localhost ca_test]# ls /etc/pki/ca_test/root/

ca.csr  ca.key

生成ca证书ca的crt文件：

[root@localhost ca_test]# openssl x509 -req -days 3650 -in /etc/pki/ca_test/root/ca.csr -signkey /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.crt  #回车,指定有效期是10年,不指定默认是配置文件里1年

[root@localhost ca_test]# ls /etc/pki/ca_test/root/

ca.crt  ca.csr  ca.key

2).生成server端证书(nginx配置的从CA机构颁发后的证书)

[root@localhost ca_test]# cd /etc/pki/ca_test/server

生成私钥文件：

[root@localhost server]# openssl genrsa -out server.key    #回车

[root@localhost server]# ls

server.key

生成证书请求文件： （填写信息要和ca.csr中Organization Name保持一致，表示用该ca颁发证书）

[root@localhost server]# openssl req -new -key server.key -out server.csr

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN                              #自己公司的国家

State or Province Name (full name) []:BJ                            #自己公司的省份

Locality Name (eg, city) [Default City]:BJ                            #自己公司的城市

Organization Name (eg, company) [Default Company Ltd]:catest       #指定ca公司的组织机构名称

Organizational Unit Name (eg, section) []:test2                       #自己公司的部门

Common Name (eg, your name or your server's hostname) []:123.com  #自己公司的域名

Email Address []:admin@123.com                                 #自己公司的邮箱

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123.com                           

[root@localhost server]# ls /etc/pki/ca_test/server/

server.csr  server.key

用ca根证书签名server.csr，最后生成公钥文件server.crt，此步骤会有两个地方需要输入y

[root@localhost server]# openssl ca -in server.csr -cert /etc/pki/ca_test/root/ca.crt -keyfile /etc/pki/ca_test/root/ca.key -out server.crt -days 3650    #回车，指定签发证书为10年

Sign the certificate? [y/n]:y

1 out of 1 certificate requests certified, commit? [y/n]y

[root@localhost server]# ls /etc/pki/ca_test/server/

server.crt  server.csr  server.key

3).nginx配置自签名ssl证书,实现https访问

编译时候，需要添加ssl模块  # ./configure --with-http_ssl_module  --prefix=/usr/local/nginx/ 

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf

http {

...

    include vhost/*.conf;      #添加

}

[root@localhost ~]# cat /usr/local/nginx/conf/vhost/www.1.conf

server{

    listen 80;

    server_name www.1.com;

    root /data/wwwroot/www.1.com;

    index index.html;

}

server{

    listen 443 ssl;

    server_name www.1.com;

    root /data/wwwroot/www.1.com;

    index index.html;

    ssl_certificate /data/wwwroot/www.1.com/ssl/server.crt;

    ssl_certificate_key /data/wwwroot/www.1.com/ssl/server.key;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

    ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;

    ssl_prefer_server_ciphers on;

}

说明:

1. 443端口为ssl监听端口。

2. ssl on表示打开ssl支持。

3. ssl_certificate指定crt文件所在路径，如果写相对路径，必须把该文件和nginx.conf文件放到一个目录下。

4. ssl_certificate_key指定key文件所在路径。

5. ssl_protocols指定SSL协议。

6. ssl_ciphers配置ssl加密算法，多个算法用:分隔，ALL表示全部算法，!表示不启用该算法，+表示将该算法排到最后面去。

7. ssl_prefer_server_ciphers 如果不指定默认为off，当为on时，在使用SSLv3和TLS协议时，服务器加密算法将优于客户端加密算法。

[root@localhost ~]# mkdir /data/wwwroot/www.1.com/ssl

[root@localhost ~]# cp /etc/pki/ca_test/server/server.key /data/wwwroot/www.1.com/ssl/

[root@localhost ~]# cp /etc/pki/ca_test/server/server.crt /data/wwwroot/www.1.com/ssl/

[root@localhost ~]# ls /data/wwwroot/www.1.com/ssl/

server.crt  server.key

[root@localhost ~]# cat /data/wwwroot/www.1.com/index.html

index

[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload

[root@localhost ~]# cat /etc/hosts

192.168.171.132 www.1.com

[root@localhost ~]# curl http://www.1.com/

index

[root@localhost ~]# curl -k https://www.1.com/

index

浏览器访问：

http://192.168.171.132/     https://192.168.171.132/

自签名证书地址： https://github.com/aminglinux/nginx/blob/master/ssl/key.md

nginx配置ssl地址： https://github.com/aminglinux/nginx/blob/master/ssl/nginx.md