实现SSL的NGINX的详细配置过程
1、建立 CA
1.1 创建私钥
[root@neo ~]# cd /etc/pki/CA/
[root@neo CA]# ll
total 0
drwxr-xr-x. 2 root root 40 Jul 19 22:12 certs
drwxr-xr-x. 2 root root 6 Oct 30 2018 crl
drwxr-xr-x. 2 root root 6 Oct 30 2018 newcerts
drwx------. 2 root root 6 Oct 30 2018 private
[root@neo CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
...+++
......+++
e is 65537 (0x10001)
[root@neo CA]# ll private/
total 4
-rw-------. 1 root root 1679 Sep 15 09:29 cakey.pem
1.2 生成自签证书
[root@neo CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:NEOTANG
Organizational Unit Name (eg, section) []:NEO
Common Name (eg, your name or your server's hostname) []:NEOTANG
Email Address []:neo@tang.com
[root@neo CA]# ll
total 4
-rw-r--r--. 1 root root 1391 Sep 15 09:38 cacert.pem
drwxr-xr-x. 2 root root 40 Jul 19 22:12 certs
drwxr-xr-x. 2 root root 6 Oct 30 2018 crl
drwxr-xr-x. 2 root root 6 Oct 30 2018 newcerts
drwx------. 2 root root 23 Sep 15 09:29 private
[root@neo CA]# touch index.txt
[root@neo CA]# echo 01 > serial
[root@neo CA]# ll
total 8
-rw-r--r--. 1 root root 1391 Sep 15 09:38 cacert.pem
drwxr-xr-x. 2 root root 40 Jul 19 22:12 certs
drwxr-xr-x. 2 root root 6 Oct 30 2018 crl
-rw-r--r--. 1 root root 0 Sep 15 09:55 index.txt
drwxr-xr-x. 2 root root 6 Oct 30 2018 newcerts
drwx------. 2 root root 23 Sep 15 09:29 private
-rw-r--r--. 1 root root 3 Sep 15 09:55 serial
2、Nginx 服务器申请证书
2.1 创建私钥
[root@Neo_Tang ~]# mkdir /etc/nginx/ssl
[root@Neo_Tang ~]# cd /etc/nginx/ssl/
[root@Neo_Tang ssl]# ll
total 0
[root@Neo_Tang ssl]# (umask 077;openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus
.....+++
............+++
e is 65537 (0x10001)
[root@Neo_Tang ssl]# ll
total 4
-rw-------. 1 root root 1679 Sep 15 09:44 nginx.key
2.2 生成自签证书
[root@Neo_Tang ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BEIJING
Locality Name (eg, city) [Default City]:BEIJING
Organization Name (eg, company) [Default Company Ltd]:NEOTANG
Organizational Unit Name (eg, section) []:NEO
Common Name (eg, your name or your server's hostname) []:NEOTANG
Email Address []:neo@tang.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:root
An optional company name []:root
[root@Neo_Tang ssl]# ll
total 8
-rw-r--r--. 1 root root 1094 Sep 15 09:48 nginx.csr
-rw-------. 1 root root 1679 Sep 15 09:44 nginx.key
2.3 可靠方式把自签证书传输给CA服务器进行签署
[root@Neo_Tang ssl]# scp nginx.csr root@192.168.1.10:/home/
The authenticity of host '192.168.1.10 (192.168.1.10)' can't be established.
ECDSA key fingerprint is SHA256:jiD9xP+ayA5wt4WMwKiXa9eVX7JAZF3MopajfwqB/50.
ECDSA key fingerprint is MD5:81:14:e6:5f:27:83:a0:8b:c2:88:35:a3:5b:0d:ae:b3.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.10' (ECDSA) to the list of known hosts.
root@192.168.1.10's password:
nginx.csr 100% 1094 833.9KB/s 00:00
2.4 CA服务器上进行Nginx传输的自签证书查看
[root@neo ~]# cd /home/
[root@neo home]# ll
total 4
-rw-r--r--. 1 root root 1094 Sep 15 09:50 nginx.csr
drwx------. 2 user21 user21 62 Jul 13 21:40 user21
drwx------. 2 user22 user22 62 Jul 13 21:40 user22
drwx------. 2 user33 user33 62 Jul 13 21:40 user33
2.5 CA服务器上进行Nginx传输的自签证书签署
[root@neo CA]# openssl ca -in /home/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 15 14:06:20 2019 GMT
Not After : Sep 14 14:06:20 2020 GMT
Subject:
countryName = CN
stateOrProvinceName = BEIJING
organizationName = NEOTANG
organizationalUnitName = NEO
commonName = NEOTANG
emailAddress = neo@tang.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
A1:F3:83:BD:DB:1A:C9:9A:6C:A2:7D:CB:BB:19:C6:BD:7F:E8:5A:D1
X509v3 Authority Key Identifier:
keyid:9A:FC:2D:15:80:74:46:1E:65:1B:96:68:81:97:55:A2:16:FD:0B:30
Certificate is to be certified until Sep 14 14:06:20 2020 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
2.6 CA服务器上进行签署证书的查看
[root@neo CA]# ll certs/ # 生成的签署证书,以本地签署证书记录是一致的
total 20
-rw-r--r--. 1 root root 4564 Sep 15 10:08 nginx.crt
[root@neo CA]# ll newcerts/ # 本地签署证书记录
total 8
-rw-r--r--. 1 root root 4564 Sep 15 10:08 01.pem
2.7 把签署的证书返回至Nginx服务器
[root@neo CA]# scp certs/nginx.crt root@192.168.1.11:/etc/nginx/ssl
The authenticity of host '192.168.1.11 (192.168.1.11)' can't be established.
ECDSA key fingerprint is SHA256:w3Z1C0VkdwuTmI4dHq9ueZoVz6d0plXnO/K+C9I3pts.
ECDSA key fingerprint is MD5:7b:fb:6d:81:82:f1:1d:51:99:81:ea:d8:c7:e1:a1:4e.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.11' (ECDSA) to the list of known hosts.
root@192.168.1.11's password:
nginx.crt
2.8 在Nginx服务器上进行查看
[root@Neo_Tang ssl]# ll
total 16
-rw-r--r--. 1 root root 4564 Sep 15 10:15 nginx.crt
-rw-r--r--. 1 root root 1094 Sep 15 09:48 nginx.csr
-rw-------. 1 root root 1679 Sep 15 09:44 nginx.key
3、Nginx 服务器的 ssl 配置
[root@Neo_Tang conf.d]# cat neo.conf
server {
listen 443 ssl;
server_name localhost;
root /data/nginx/neo/;
index index.html;
access_log /var/log/nginx/neo_ssl_access.log main;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_protocols SSLV3 TLSV1 TLSV1.1 TLSV1.2;
ssl_session_cache shared:SSL:10m; # 优化配置,可以缓存40000个会话的缓存
location / {
allow all;
}
}
4、进行客户端访问
4.1 未在浏览器里进行证书导入时进行访问