nginx web proxy ssl 成功。更新。。。

Note: Cross posted from 志存高远.
Permalink

昨天从张宴blog看到nginx ssl文章，按步骤来之没有成功，很是郁闷，甚至问了一个比较S的问题。。后来查了一下，看到了

PEM-DER-CSR-CRT文件的解释，如下。后来接合另一个文章才算搞定了ssl。So hungary ,回去再整理一下，拿出来吧。。

 

要把自己的网站从http 过渡到https,需要一个ssl 认证，一般可用的ssl 认证都是像Verisign和Thawte这样的组织颁发的，我们又不是银行，当然用不起了，不过我们可以自己认证。

文章中，介绍了产生私钥.key ,认证签名申请.csr 和网站认证.crt，crt文件就是nginx ssl 需要使用的文件了。

前几步参考 张宴文章即可，关键是最后一步。

3. Generate a Self-Signed SSL Certificate，产生一个自签名的 SSL认证文件。

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

这样才是生成crt文件，也就是在nginx中使用的。

以下为原文链接 。

http://www.thegeekstuff.com/2009/07/linux-apache-mod-ssl-generate-key-csr-crt-file/

How To Generate SSL Key, CSR and Self Signed Certificate For Apache。

If you want to convert your website from HTTP to HTTPS, you need to get a SSL certificate from a valid organization like Verisign or Thawte. You can also generate self signed SSL certificate for testing purpose.

In this article, let us review how to generate private key file (server.key), certificate signing request file (server.csr) and webserver certificate file (server.crt) that can be used on Apache server with mod_ssl.

Key, CSR and CRT File Naming Convention

I typically like to name the files with the domain name of the HTTPS URL that will be using this certificate. This makes it easier to identify and maintain.

Instead of server.key, I use www.thegeekstuff.com.key

Instead of server.csr, I use www.thegeekstuff.com.csr

Instead of server.crt, I use www.thegeekstuff.com.crt

1. Generate Private Key on the Server Running Apache + mod_ssl

First, generate a private key on the Linux server that runs Apache webserver using openssl command as shown below.

# openssl genrsa -des3 -out www.thegeekstuff.com.key 1024

Generating RSA private key, 1024 bit long modulus

.......................................++++++

...................................................++++++

e is 73547 (0x01001)

Enter pass phrase for www.thegeekstuff.com.key:

Verifying - Enter pass phrase for www.thegeekstuff.com.key:

# ls -ltr www.thegeekstuff.*

-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key

The generated private key looks like the following.

# cat www.thegeekstuff.com.key

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

DEK-Info: DES-EDE3-CBC,485B3C6371C9916E

ymehJu/RowzrclMcixAyxdbfzQphfUAk9oK9kK2

jadfoiyqthakLKNqw9z1MoaqkPyqeHevUm26no

AJKIETHKJADFS2BGb0n61/Ksk8isp7evLM4+QY

KAQETKjdiahteksMJOjXLq+vf5Ra299fZPON7yr

-----END RSA PRIVATE KEY-----

2. Generate a Certificate Signing Request (CSR)

Using the key generate above, you should generate a certificate request file (csr) using openssl as shown below.

# openssl req -new -key www.thegeekstuff.com.key -out www.thegeekstuff.com.csr

Enter pass phrase for www.thegeekstuff.com.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [GB]:US

State or Province Name (full name) [Berkshire]:California

Locality Name (eg, city) [Newbury]:Los Angeles

Organization Name (eg, company) [My Company Ltd]:The Geek Stuff

Organizational Unit Name (eg, section) []:IT

Common Name (eg, your name or your server's hostname) []: thegeekstuff

Email Address []:

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:

# ls -ltr www.thegeekstuff.*

-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key

-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr

3. Generate a Self-Signed SSL Certificate

For testing purpose, you can generate a self-signed SSL certificate that is valid for 1 year using openssl command as shown below.

# openssl x509 -req -days 365 -in www.thegeekstuff.com.csr -signkey www.thegeekstuff.com.key -out www.thegeekstuff.com.crt

Signature ok

subject=/C=US/ST=California/L=Los Angeles/O=thegeekstuff/OU=IT/CN=www.thegeekstuff.com

Getting Private key

Enter pass phrase for www.thegeekstuff.com.key:

# ls -l www.thegeekstuff*

-rw-r--r-- 1 root root   963 Jun 13 20:26 www.thegeekstuff.com.key

-rw-r--r-- 1 root root   664 Jun 13 20:35 www.thegeekstuff.com.csr

-rw-r--r-- 1 root root   879 Jun 13 20:43 www.thegeekstuff.com.crt

# cat www.thegeekstuff.com.crt

-----BEGIN CERTIFICATE-----

haidfshoaihsdfAKDJFAISHTEIHkjasdjadf9w0BAQUFADCB

kjadfijadfhWQIOUQERUNcMNasdkjfakljasdBgEFBQcDAQ

kjdghkjhfortoieriqqeurNZXCVMNCMN.MCNaGF3dGUuY29

-----END CERTIFICATE-----

You can use this method to generate Apache SSL Key, CSR and CRT file in most of the Linux, Unix systems including Ubuntu, Debian, CentOS, Fedora and Red Hat.

Ok, this one should be in the docs, but unfortunately, there is only

a completely outdated note in there.

For any PKI certificate there are 3 parts:

1. The secret private key, which only the relevant computer should

know and which no-one else should be able to see or steal.  This can

be stored in hardware (at a price), in an encrypted PKCS12 file

(extension .pfx or .p12) with the other two parts (mostly some

Microsoft programs need this), in an encrypted DER format file

(extension varies with the program) (rarely used) or in a PEM-encoded

encrypted DER file (extension .key) (the most common for non-Microsoft

products such as Apache).

2. The public key, which everybody will know.  Most of the time this

is simply included as a field inside the cert (part 3 below), only

during the first steps of generating the cert may you temporarily need

this as a on its own.  This may be stored in DER format (rare) or

PEM-encoded DER format (the usual).  The file extension varies but

is often .pub, .der or .pem.

3. The certificate, which contains the public key, the name of the

server or person or company etc. that owns the matching private key,

various other important information and a signature (by the same or a

different public key) on all these facts.  The certificate may be stored

with the private key in a PKCS12 file (extension .pfx or .p12) with the

other two parts (mostly some Microsoft programs need this), in an

unencrypted DER file (extension .crt or .cer) (only Microsoft IIS needs

this) or in an unencrypted PEM-encoded DER file (extension .crt or

.cer) (everything else uses this).

On 25-07-2010 00:49, Warron French wrote:

>   I  have been reading HOWTOs all over the internet trying to figure out

> how to generate a self-signed and/or CA (mine) signed certificate.

>

> What I can't understand is, WHY do I need an RSA "key" or certificate.

> I think it's a key.  WHY do I need a PEM certificate, and why a DER

> certificate?

>

> No where on any website does it say WHEN to use one type of certificate

> or just a key?

>

> Apache httpd.conf files will reference both .key and .crt files in their

> syntax; isn't the .crt a PEM-encoded certificate file?  If so, why not

> give it a more meaningful  .pem extension instead.

>

> Can anyone clarify for me?  I am trying not to chase my tail and want to

> learn this stuff on a deeper level.

>

> When do I know if I need to perform the openssl req and then openssl

> x509 commands and NOT the openssl rsa command.

>

> This is all very confusing and I see no simplified (non-doctoral)

> documentation on this material.  Anyone have a book to suggest?

>

>

> Thanks to anyone that can respond.

Note: Cross posted from 志存高远.
Permalink

转载于:https://www.cnblogs.com/liooge/archive/2011/03/29/1998743.html