nginx生成自签名SSL证书配置HTTPS

小邋遢2.0

已于 2024-03-19 17:00:58 修改

阅读量575

点赞数 11

文章标签： nginx ssl 服务器

于 2024-03-05 17:21:39 首次发布

本文链接：https://blog.csdn.net/weixin_46627652/article/details/136483799

版权

备注：nginx自生成的ssl证书在浏览器访问时会提示此证书不受信用

1.安装nginx

nginx必须有"--with-http_ssl_module"模块
查看nginx安装的模块：
[root@master1 key]# nginx -V
nginx version: nginx/1.24.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --conf-path=/usr/local/nginx/conf/nginx.conf --error-log-path=/usr/local/nginx/logs/error.log --http-log-path=/usr/local/nginx/logs/access.log --with-stream --with-stream_ssl_module --with-http_stub_status_module --with-http_ssl_module

2.创建证书

[root@master1 ~]# mkdir key
[root@master1 ~]# cd key
[root@master1 key]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
..............................................................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:  #输入server.key的密码短语：123456
Verifying - Enter pass phrase for server.key:  #正在验证-输入server.key的密码短语：123456

[root@master1 key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:  #输入server.key的密码短语：123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN  #国家名称（2个字母代码）
State or Province Name (full name) []:GD  #州或省名称（全名）
Locality Name (eg, city) [Default City]:GD  #地区名称（如城市）[默认城市]
Organization Name (eg, company) [Default Company Ltd]:SB  #组织名称（如公司）[默认有限公司]
Organizational Unit Name (eg, section) []:SB  #组织单位名称（如部门）
Common Name (eg, your name or your server's hostname) []:SB  #通用名称（例如，您的姓名或服务器的主机名）
Email Address []:1911384822@qq.com  #电子邮件地址

Please enter the following 'extra' attributes #请输入以下“额外”属性
to be sent with your certificate request      #与您的证书申请一起发送
A challenge password []:123456                #挑战密码[]：
An optional company name []:SB                #可选的公司名称[]

去除server.key认证，避免每次"nginx -t"时出现输入密码的情况：

openssl rsa -in server.key -out server.key

[root@master1 key]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=GZ/L=GD/O=SB/OU=SB/CN=SB/emailAddress=1911384822@qq.com
Getting Private key
Enter pass phrase for server.key:  #输入server.key的密码短语：123456

[root@master1 key]# ls
server.crt  server.csr  server.key

3.nginx配置SSL证书
nginx的配置文件里面有默认的SSL配置，打开注释就行了

配置实例：

    server {
        listen       8080 ssl;
        server_name  localhost;

        ssl_certificate      /root/key/server.crt; #证书路径
        ssl_certificate_key  /root/key/server.key; #证书路径

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;


        location / {
            root   html;
            index  index.html index.htm index.php;
        }

验证：https://10.10.10.10:8080