自制ca证书和自签名证书配置nginx的ssl-单向ssl(一般都是单向)
1).生成CA根证书(相当于签名的CA机构)
[root@localhost ~]# mkdir /etc/pki/ca_test #创建CA根证书的目录
[root@localhost ~]# cd /etc/pki/ca_test
[root@localhost ca_test]# mkdir root server newcerts #创建几个相关的目录
[root@localhost ca_test]# ls
newcerts root server
[root@localhost ca_test]# echo 01 > serial #定义序列号为01
[root@localhost ca_test]# echo 01 > crlnumber #定义crl号为01
[root@localhost ca_test]# touch index.txt #创建index.txt
[root@localhost ca_test]# ls
crlnumber index.txt newcerts root serial server
[root@localhost ca_test]# cp /etc/pki/tls/openssl.cnf /etc/pki/tls/openssl.cnf.bak
[root@localhost ca_test]# vim /etc/pki/tls/openssl.cnf #修改openssl相关配置文件
...
[ ca ]
default_ca = CA_default #不变
[ CA_default ] #不变
dir = /etc/pki/ca_test #修改
certs = $dir/certs
crl_dir = $dir/crl
database = $dir/index.txt
new_certs_dir = $dir/newcerts
certificate = $dir/root/ca.crt #修改,ca的证书文件存放位置定义
serial = $dir/serial
crlnumber = $dir/crlnumber
crl = $dir/crl.pem
private_key = $dir/root/ca.key #修改,ca私钥文件存放位置定义
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
name_opt = ca_default #不变
cert_opt = ca_default #不变
default_days = 365 #期限365天
default_crl_days= 30
default_md = sha256 #不变
preserve = no #不变
生成ca的私钥:
[root@localhost ca_test]# openssl genrsa -out /etc/pki/ca_test/root/ca.key #回车即可
[root@localhost ca_test]# ls /etc/pki/ca_test/root/
ca.key
生成请求文件:自己填写自己ca的相关信息
[root@localhost ca_test]# openssl req -new -key /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.csr #回车
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #ca机构的国家
State or Province Name (full name) []:BJ #ca机构的省份
Locality Name (eg, city) [Default City]:BJ #ca机构的城市
Organization Name (eg, company) [Default Company Ltd]:catest #ca机构的组织机构名称
Organizational Unit Name (eg, section) []:test #ca机构的部门
Common Name (eg, your name or your server's hostname) []:catest.com #ca机构的域名
Email Address []:catest@catest.com #ca机构的邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #ca机构的随机密码
An optional company name []:testlinux #可以和上面的不一样
[root@localhost ca_test]# ls /etc/pki/ca_test/root/
ca.csr ca.key
生成ca证书ca的crt文件:
[root@localhost ca_test]# openssl x509 -req -days 3650 -in /etc/pki/ca_test/root/ca.csr -signkey /etc/pki/ca_test/root/ca.key -out /etc/pki/ca_test/root/ca.crt #回车,指定有效期是10年,不指定默认是配置文件里1年
[root@localhost ca_test]# ls /etc/pki/ca_test/root/
ca.crt ca.csr ca.key
2).生成server端证书(nginx配置的从CA机构颁发后的证书)
[root@localhost ca_test]# cd /etc/pki/ca_test/server
生成私钥文件:
[root@localhost server]# openssl genrsa -out server.key #回车
[root@localhost server]# ls
server.key
生成证书请求文件: (填写信息要和ca.csr中Organization Name保持一致,表示用该ca颁发证书)
[root@localhost server]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #自己公司的国家
State or Province Name (full name) []:BJ #自己公司的省份
Locality Name (eg, city) [Default City]:BJ #自己公司的城市
Organization Name (eg, company) [Default Company Ltd]:catest #指定ca公司的组织机构名称
Organizational Unit Name (eg, section) []:test2 #自己公司的部门
Common Name (eg, your name or your server's hostname) []:123.com #自己公司的域名
Email Address []:admin@123.com #自己公司的邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:123.com
[root@localhost server]# ls /etc/pki/ca_test/server/
server.csr server.key
用ca根证书签名server.csr,最后生成公钥文件server.crt,此步骤会有两个地方需要输入y
[root@localhost server]# openssl ca -in server.csr -cert /etc/pki/ca_test/root/ca.crt -keyfile /etc/pki/ca_test/root/ca.key -out server.crt -days 3650 #回车,指定签发证书为10年
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
[root@localhost server]# ls /etc/pki/ca_test/server/
server.crt server.csr server.key
3).nginx配置自签名ssl证书,实现https访问
编译时候,需要添加ssl模块 # ./configure --with-http_ssl_module --prefix=/usr/local/nginx/
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
http {
...
include vhost/*.conf; #添加
}
[root@localhost ~]# cat /usr/local/nginx/conf/vhost/www.1.conf
server{
listen 80;
server_name www.1.com;
root /data/wwwroot/www.1.com;
index index.html;
}
server{
listen 443 ssl;
server_name www.1.com;
root /data/wwwroot/www.1.com;
index index.html;
ssl_certificate /data/wwwroot/www.1.com/ssl/server.crt;
ssl_certificate_key /data/wwwroot/www.1.com/ssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!DH:!EXPORT:!RC4:+HIGH:+MEDIUM:!eNULL;
ssl_prefer_server_ciphers on;
}
说明:
1. 443端口为ssl监听端口。
2. ssl on表示打开ssl支持。
3. ssl_certificate指定crt文件所在路径,如果写相对路径,必须把该文件和nginx.conf文件放到一个目录下。
4. ssl_certificate_key指定key文件所在路径。
5. ssl_protocols指定SSL协议。
6. ssl_ciphers配置ssl加密算法,多个算法用:分隔,ALL表示全部算法,!表示不启用该算法,+表示将该算法排到最后面去。
7. ssl_prefer_server_ciphers 如果不指定默认为off,当为on时,在使用SSLv3和TLS协议时,服务器加密算法将优于客户端加密算法。
[root@localhost ~]# mkdir /data/wwwroot/www.1.com/ssl
[root@localhost ~]# cp /etc/pki/ca_test/server/server.key /data/wwwroot/www.1.com/ssl/
[root@localhost ~]# cp /etc/pki/ca_test/server/server.crt /data/wwwroot/www.1.com/ssl/
[root@localhost ~]# ls /data/wwwroot/www.1.com/ssl/
server.crt server.key
[root@localhost ~]# cat /data/wwwroot/www.1.com/index.html
index
[root@localhost ~]# /usr/local/nginx/sbin/nginx -s reload
[root@localhost ~]# cat /etc/hosts
192.168.171.132 www.1.com
[root@localhost ~]# curl http://www.1.com/
index
[root@localhost ~]# curl -k https://www.1.com/
index
浏览器访问:
http://192.168.171.132/ https://192.168.171.132/
自签名证书地址: https://github.com/aminglinux/nginx/blob/master/ssl/key.md
nginx配置ssl地址: https://github.com/aminglinux/nginx/blob/master/ssl/nginx.md