自己制作ssl证书:自己签发免费ssl证书,为nginx生成自签名ssl证书
这里说下Linux 系统怎么通过openssl命令生成 证书。
首先执行如下命令生成一个key
openssl genrsa -des3 -out ssl.key 1024
然后他会要求你输入这个key文件的密码。不推荐输入。因为以后要给nginx使用。每次reload nginx配置时候都要你验证这个PAM密码的。
由于生成时候必须输入密码。你可以输入后 再删掉。
mv ssl.key xxx.key
openssl rsa -in xxx.key -out ssl.key
rm xxx.key
然后根据这个key文件生成证书请求文件
openssl req -new -key ssl.key -out ssl.csr
以上命令生成时候要填很多东西 一个个看着写吧(可以随便,毕竟这是自己生成的证书)
最后根据这2个文件生成crt证书文件
openssl x509 -req -days 365 -in ssl.csr -signkey ssl.key -out ssl.crt
这里365是证书有效期 推荐3650哈哈。这个大家随意。最后使用到的文件是key和crt文件。
如果需要用pfx 可以用以下命令生成
openssl pkcs12 -export -inkey ssl.key -in ssl.crt -out ssl.pfx
在需要使用证书的nginx配置文件的server节点里加入以下配置就可以了。
server {
listen 443;
server_name bbs.nau.edu.cn;
if ($uri !~ "/logging.php$") {
rewrite ^/(.)$ http://$host/$1 redirect;
}
ssl on;
ssl_certificate /home/ssl.crt;
ssl_certificate_key /home/ssl.key;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
}
然后重启nginx就大功告成了
作者:朱立志
链接:http://www.jianshu.com/p/1aa43b23b38d
來源:简书
著作权归作者所有。商业转载请联系作者获得授权,非商业转载请注明出处。
curl证书访问https
- 像百度这种https网站可以直接curl
curl https://www.baidu.com
- 自己做了的免费证书的网站是不能这样访问
[root@tanyvlinux bbs.tany.com]# curl https://bbs.tany.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
- 可以通过命令生成一个认证文件,然后就可以访问到https
$ echo quit | openssl s_client -showcerts -servername bbs.tany.com -connect bbs.tany.com:443 > cacert.pem
depth=0 C = cn, ST = gd, L = gz, O = t, OU = t, CN = bbs.tany.com, emailAddress = t
verify error:num=18:self signed certificate
verify return:1
depth=0 C = cn, ST = gd, L = gz, O = t, OU = t, CN = bbs.tany.com, emailAddress = t
verify return:1
DONE
$ curl --cacert cacert.pem https://bbs.tany.com -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 21 Oct 2019 16:45:17 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
- 如果你有SSL证书的crt和key文件,可以把这两个文件放在一起,也可以用于访问https
[root@tanyvlinux bbs.tany.com]# ls
server.crt server.csr server.key
[root@tanyvlinux bbs.tany.com]# cat server.crt server.key >> server.pem
[root@tanyvlinux bbs.tany.com]# curl --cacert server.pem https://bbs.tany.com -I
HTTP/1.1 200 OK
Server: nginx/1.16.1
Date: Mon, 21 Oct 2019 17:00:52 GMT
Content-Type: text/html; charset=utf-8
Connection: keep-alive
X-Powered-By: PHP/7.3.0
3万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
