一、检查OpenSSL是否安装
#已经成功安装
[root@localhost ~]# rpm -qa openssl
openssl-1.0.1e-42.el7.x86_64
二、创建根证书CA
- 生成CA私钥
[root@localhost zhengshu]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
......................................................................................................................................+++
e is 65537 (0x10001)
[root@localhost zhengshu]# ls
local.key
- 生成CA证书请求
[root@localhost zhengshu]# openssl req -new -key local.key -out local.csr #证书请求是对签名的请求,需要使用私钥进行签名
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN #国家
State or Province Name (full name) []:beijing #省
Locality Name (eg, city) [Default City]:beijing #城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test #部门
Common Name (eg, your name or your server's hostname) []:test #主机名
Email Address []:test@test.com #邮箱
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tian #密码
An optional company name []:tian #公司名
[root@localhost zhengshu]# ls
local.csr local.key
req: 这是一个大命令,提供生成证书请求文件,验证证书,和创建根CA
-new: 表示新生成一个证书请求
-x509: 直接输出证书
-key: 生成证书请求时用到的私钥文件
-out:输出文件
- 生成CA根证书
这个生成CA证书的命令会让人迷惑
1.通过秘钥 生成证书请求文件
2.通过证书请求文件 生成最终的证书
-in 使用证书请求文件生成证书,-signkey 指定私钥,这是一个还没搞懂的参数
[root@localhost zhengshu]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt #证书是自签名或CA签名过的凭据,用来进行身份认证
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting Private key
[root@localhost zhengshu]# ls
local.crt local.csr local.key
三、根据CA证书创建server端证书
- 生成server私匙
[root@localhost zhengshu]# openssl genrsa -out my_server.key 2048
Generating RSA private key, 2048 bit long modulus
.........................................+++
...........+++
e is 65537 (0x10001)
[root@localhost zhengshu]# ls
local.crt local.csr local.key my_server.key
- 生成server证书请求
[root@localhost zhengshu]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijiang
Locality Name (eg, city) [Default City]:beijaing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:test@test.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tian
An optional company name []:tian
[root@localhost zhengshu]# ls
local.crt local.csr local.key my_server.csr my_server.key
- 生成server证书
[root@localhost zhengshu]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=beijiang/L=beijaing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
Getting CA Private Key
四、配置nginx支持SSL
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
listen 443 ssl; #监听443端口
server_name www.test.com; #服务器名
keepalive_timeout 100; #开启keepalive 激活keepalive长连接,减少客户端请求次数
ssl_certificate /zhengshu/my_server.crt; #server端证书位置
ssl_certificate_key /zhengshu/my_server.key; #server端私钥位置
ssl_session_cache shared:SSL:10m; #缓存session会话
ssl_session_timeout 10m; #session 10分钟过期
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
[root@localhost ~]# nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
[root@localhost ~]# nginx -s reload
五、测试