基于nginx结合OpenSSL实现HTTPS认证

最新推荐文章于 2022-11-15 16:37:04 发布

风之老凌

最新推荐文章于 2022-11-15 16:37:04 发布

阅读量262

点赞数 1

分类专栏： linux

本文链接：https://blog.csdn.net/weixin_42480196/article/details/100888520

版权

linux 专栏收录该内容

43 篇文章 0 订阅

订阅专栏

一、检查OpenSSL是否安装

#已经成功安装
[root@localhost ~]# rpm -qa openssl
openssl-1.0.1e-42.el7.x86_64

二、创建根证书CA

生成CA私钥

[root@localhost zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......................................................................................................................................+++
e is 65537 (0x10001)
[root@localhost zhengshu]# ls
local.key

生成CA证书请求

[root@localhost zhengshu]# openssl req -new -key local.key -out local.csr #证书请求是对签名的请求，需要使用私钥进行签名
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN   #国家
State or Province Name (full name) []:beijing        #省
Locality Name (eg, city) [Default City]:beijing   #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test  #部门
Common Name (eg, your name or your server's hostname) []:test  #主机名
Email Address []:test@test.com   #邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tian  #密码
An optional company name []:tian  #公司名
[root@localhost zhengshu]# ls
local.csr  local.key

req: 这是一个大命令，提供生成证书请求文件，验证证书，和创建根CA
-new: 表示新生成一个证书请求
-x509: 直接输出证书
-key: 生成证书请求时用到的私钥文件
-out：输出文件

生成CA根证书

这个生成CA证书的命令会让人迷惑
1.通过秘钥 生成证书请求文件
2.通过证书请求文件 生成最终的证书 
 -in 使用证书请求文件生成证书，-signkey 指定私钥，这是一个还没搞懂的参数
[root@localhost zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey  local.key -out local.crt  #证书是自签名或CA签名过的凭据，用来进行身份认证
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
[root@localhost zhengshu]# ls
local.crt  local.csr  local.key

三、根据CA证书创建server端证书

生成server私匙

[root@localhost zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
...........+++
e is 65537 (0x10001)
[root@localhost zhengshu]# ls
local.crt  local.csr  local.key  my_server.key

生成server证书请求

[root@localhost zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijiang
Locality Name (eg, city) [Default City]:beijaing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test   
Email Address []:test@test.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tian
An optional company name []:tian
[root@localhost zhengshu]# ls
local.crt  local.csr  local.key  my_server.csr  my_server.key

生成server证书

[root@localhost zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt 
Signature ok
subject=/C=CN/ST=beijiang/L=beijaing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting CA Private Key

四、配置nginx支持SSL

[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
 server {
        listen       443 ssl;  #监听443端口
        server_name  www.test.com;  #服务器名
        keepalive_timeout  100;  #开启keepalive 激活keepalive长连接，减少客户端请求次数


        ssl_certificate     /zhengshu/my_server.crt;   #server端证书位置
        ssl_certificate_key  /zhengshu/my_server.key;  #server端私钥位置
          ssl_session_cache    shared:SSL:10m;  #缓存session会话
        ssl_session_timeout  10m;  #session 10分钟过期


        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            root   html;
            index  index.html index.htm;
        }
    }
[root@localhost ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# nginx -s reload

五、测试
在这里插入图片描述

风之老凌

关注

1
点赞
踩
3

收藏

觉得还不错? 一键收藏
0
评论
基于nginx结合OpenSSL实现HTTPS认证

一、检查OpenSSL是否安装#已经成功安装[root@localhost ~]# rpm -qa opensslopenssl-1.0.1e-42.el7.x86_64二、创建根证书CA#生成CA私钥[root@localhost zhengshu]# openssl genrsa -out local.key 2048Generating RSA private key, 20...
复制链接

扫一扫