一、之前对外暴露接口地址为http://192.168.2.246
因为映射了域名,需要升级为https,由于是IP地址访问,所以生成自签名证书并设置nginx
二、home目录下新建new_cert目录用于存放证书以及相关文件
[root@localhost home]# mkdir new_cert
三、使用openssl分别生成服务端和客户端的公钥及私钥
1、生成服务端私钥
(base) [root@localhost ~]# mkdir new_cert
(base) [root@localhost ~]# cd new_cert/
(base) [root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......................+++++
............+++++
e is 65537 (0x010001)
2、生成服务端公钥
(base) [root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
(base) [root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)
3、生成客户端私钥
(base) [root@localhost new_cert]# openssl rsa -in client.key -pubout -out client.pem
writing RSA key
4、生成客户端公钥
(base) [root@localhost new_cert]# ll
total 16
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
四、生成CA证书
1、生成CA私钥
(base) [root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@localhost new_cert]#
2、生成CA证书签名请求文件CSR
(base) [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_ca
Organizational Unit Name (eg, section) []:hlhk_sms_ca
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#
3、使用私钥KEY文件和CSR文件签名生成CRT证书
(base) [root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_ca, OU = hlhk_sms_ca, CN = 192.168.2.246
Getting Private key
(base) [root@localhost new_cert]#
五、生成服务器端和客户端CRT证书
1、生成服务端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_serve
Organizational Unit Name (eg, section) []:hlhk_sms_serve
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#
2、生成客户端签名请求CSR文件
(base) [root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_client
Organizational Unit Name (eg, section) []:hlhk_sms_client
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#
这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以
3、向刚才生成的自己的CA机构申请签名CRT证书(服务端和客户端)
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = 192.168.2.246
Getting CA Private Key
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_client, OU = hlhk_sms_client, CN = 192.168.2.246
Getting CA Private Key
(base) [root@localhost new_cert]#
(base) [root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 891 Apr 6 14:46 ca.crt
-rw-r--r-- 1 root root 737 Apr 6 14:46 ca.csr
-rw------- 1 root root 891 Apr 6 14:44 ca.key
-rw-r--r-- 1 root root 41 Apr 6 14:50 ca.srl
-rw-r--r-- 1 root root 904 Apr 6 14:50 client.crt
-rw-r--r-- 1 root root 749 Apr 6 14:49 client.csr
-rw------- 1 root root 887 Apr 6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 client.pem
-rw-r--r-- 1 root root 899 Apr 6 14:49 server.crt
-rw-r--r-- 1 root root 712 Apr 6 14:47 server.csr
-rw------- 1 root root 887 Apr 6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr 6 14:44 server.pem
(base) [root@localhost new_cert]#
六、最后生成需要的key和crt文件
(base) [root@localhost new_cert]# openssl rsa -in server.key -out server_nginx.key
writing RSA key
(base) [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey server_nginx.key -out server_nginx.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = 192.168.2.246
Getting Private key
(base) [root@localhost new_cert]#
七、将key和crt文件上传到nginx上并配置nginx配置文件(https://xxx.xxx.xxx.xxx:8061)
user nginx;
worker_processes 8;
error_log /var/log/nginx/info.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
accept_mutex on;
multi_accept on;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
#gzip on;
server {
listen 8061 ssl;
server_name hlhk.com;
ssl_certificate /root/new_cert/server_nginx.crt;
ssl_certificate_key /root/new_cert/server_nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://hlhk.com;
proxy_set_header host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for;
}
}
}