nginx ssl 自签证书实验

两台服务器

11.11.11.3     （生成证书然后到CA服务上注册）

11.11.11.4    （nginx服务、CA证书签发）

1、建立CA服务器（11.3）

1、在CA上生成私钥文件 在/etc/pki/CA/private
[root@ca]# cd /etc/pki/CA/
[root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)

2、在CA上生成自签署证书  必须在/etc/pki/CA目录下
[root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
-new 为生成新的证书，会要求用户填写相关的信息
-x509 通常用于自签署证书，生成测试证书或用于CA自签署 
-key私钥位置  
-days申请的天数（默认30天） 
-out生成位置

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:Zhengzhou
Organization Name (eg, company) [Default Company Ltd]:yanqi
Organizational Unit Name (eg, section) []:system  
Common Name (eg, your name or your server's hostname) []:cahost.zzidc.com
Email Address []:573143765@qq.com

[root@ca CA]# touch index.txt
[root@ca CA]# echo 01 > serial

2、给http服务器发放证书

[root@nginx ~]# mkdir /etc/nginx/ssl
[root@nginx ~]# cd /etc/nginx/ssl/
[root@nginx ssl]# (umask 077; openssl genrsa -out nginx.key 1024)

[root@nginx ssl]# openssl req -new -key nginx.key -out nginx.csr
#信息跟CA上生成的保持一致
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HeNan
Locality Name (eg, city) [Default City]:Zhengzhou
Organization Name (eg, company) [Default Company Ltd]:yanqi
Organizational Unit Name (eg, section) []:system
Common Name (eg, your name or your server's hostname) []:cahost.zzidc.com
Email Address []:573143765@qq.com

[root@nginx ssl]# scp nginx.csr 11.11.11.3:/tmp/

3、在CA上给http服务器签署证书

[root@ca ~]# openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Feb 22 08:17:38 2019 GMT
            Not After : Feb 22 08:17:38 2020 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HeNan
            organizationName          = yanqi
            organizationalUnitName    = system
            commonName                = cahost.zzidc.com
            emailAddress              = 573143765@qq.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                81:4E:B6:B5:C2:B8:B8:3F:B4:E7:34:99:59:D3:E8:3A:13:20:82:58
            X509v3 Authority Key Identifier: 
                keyid:6B:86:D0:CD:C9:1A:10:7E:3B:44:EC:BE:6B:AB:E4:14:2C:30:2A:01

Certificate is to be certified until Feb 22 08:17:38 2020 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@ca ~]# 

4、生成完需要拷贝到http服务器上  也用scp命令

[root@ca ~]# scp /etc/pki/CA/certs/nginx.crt 11.11.11.4:/etc/nginx/ssl

5、nginx配置

[root@nginx ~]# vim /etc/nginx/conf.d/vhost_ssl.conf
server {
  listen 443 ssl;
  server_name cahost.zzidc.com;
  root /data/nginx/vhost1;
  access_log /var/log/nginx/vhost1_ssl_access.log main;

  ssl on;
  ssl_certificate /etc/nginx/ssl/nginx.crt;
  ssl_certificate_key /etc/nginx/ssl/nginx.key;
  ssl_protocols sslv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_session_cache   shared:SSL:10m;    #共享session内存空间为10M,1M的会话为4千；这个是4万
  ssl_session_timeout 10m;
}

[root@nginx conf.d]# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

[root@nginx conf.d]# service nginx restart
Redirecting to /bin/systemctl restart nginx.service

[root@nginx conf.d]# netstat -luntp|grep 443
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      4256/nginx: mas