zoukankan      html  css  js  c++  java

  • linux运维、架构之路-Nginx配置https证书

    一、证书制作

    1、生成秘钥key

    [root@docker ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................+++
.................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

    执行过程中会要求输入密码,两次输入同一个即可。此命令生成server.key文件

    以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令

    openssl rsa -in server.key -out server.key

    2、创建服务器证书的申请文件server.csr

    openssl req -new -key server.key -out server.csr
    [root@docker ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:     
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.56.100
Email Address []:

    3、创建CA证书

    openssl req -new -x509 -key server.key -out ca.crt -days 3650
    [root@docker ssl]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.56.100Email Address []:

    此时,可以得到一个ca.crt的证书,这个证书用来给自己的证书签名

    4、创建自当前日期起有效期为期十年的服务器证书server.crt

    [root@docker ssl]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=192.168.56.100
Getting CA Private Key

    5、查看生成的文件,可以看到一共生成了5个文件

    [root@docker ssl]# ll
总用量 20
-rw-r--r-- 1 root root 1285 5月   9 14:45 ca.crt
-rw-r--r-- 1 root root   17 5月   9 14:45 ca.srl
-rw-r--r-- 1 root root 1168 5月   9 14:45 server.crt
-rw-r--r-- 1 root root 1017 5月   9 14:44 server.csr
-rw-r--r-- 1 root root 1675 5月   9 14:41 server.key

    server.crtserver.key就是你的nginx需要的证书文件

    二、Nginx配置

    1、打开的nginx配置文件,搜索443找到https的配置

        server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /app/nginx/ssl/server.crt;
        ssl_certificate_key  /app/nginx/ssl/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

    2、修改证书路径

    ssl_certificate改为server.crt的路径,将ssl_certificate_key改为server.key的路径

    3、平滑重启Nignx服务

    nginx -s reload

    nginx的https就可以使用了,默认443端口,使用浏览器访问测试
  • 相关阅读:
    BATJ面试必会之 Spring 篇(一)
    BATJ面试必会之Java IO 篇
    BATJ面试必会之并发篇
    如何学习JavaEE,项目又该如何做?
    面试官问你“有什么问题问我吗?”,你该如何回答?
    表单输入实时检测
    HTML5实现摇一摇
    加载音频Audio
    关于meta标签
    JS倒计时
  • 原文地址:https://www.cnblogs.com/yanxinjiang/p/12857717.html
Copyright © 2011-2022 走看看