自建nginx的ssl證書
阿新 • • 發佈:2020-07-15
環境:centos7.6、主機名稱:demod.example.com、需要nginx支援ssl模組(參考:https://www.cnblogs.com/wukc/p/13289553.html)
1、建立目錄
mkdir /usr/local/nginx/ssl_key cd /usr/local/nginx/ssl_key
2、建立private.key
[root@localhost ssl_key]# openssl genrsa -out private.key 1024 Generating RSA private key, 1024 bit long modulus .........................++++++ ..........++++++ e is 65537 (0x10001) [root@localhost ssl_key]# ls private.key # -out 引數指定金鑰檔案存放的位置和名字,1024是指金鑰檔案的長度,一般為1024或者2048
3、建立cert_req.csr檔案
[root@localhost ssl_key]# openssl req -new -key private.key -out cert_req.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter'.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:sc Locality Name (eg, city) [Default City]:cd Organization Name (eg, company) [Default Company Ltd]:sh Organizational Unit Name (eg, section) []:sh Common Name (eg, your name or your server's hostname) []:demod.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl_key]# ll total 8 -rw-r--r-- 1 root root 635 Jul 14 21:04 cert_req.csr -rw-r--r-- 1 root root 887 Jul 14 20:52 private.key # 指定金鑰金鑰檔案來生成一個ca請求 # 這個步驟會要求填入國家區域以及域名等資訊 # 最重要的一行是Common Name,需要填入與伺服器關聯的域名,或者是您伺服器的公共IP地址
4、建立server_cert.crt
[root@localhost ssl_key]# openssl x509 -req -days 365 -in cert_req.csr -signkey private.key -out server_cert.crt Signature ok subject=/C=cn/ST=sc/L=cd/O=sh/OU=sh/CN=demod.example.com Getting Private key #相關引數說明 req:此子命令指定我們要使用X.509證書籤名請求(CSR)管理。“X.509”是SSL和TLS為其金鑰和證書管理所遵循的公鑰基礎結構標準。我們想要建立一個新的X.509證書,所以我們使用這個子命令 -x509:通過告訴實用程式我們要建立自簽名證書而不是生成證書籤名請求(通常會發生)來進一步修改上一個子命令 -nodes:這告訴OpenSSL跳過用密碼保護我們的證書的選項。當伺服器啟動時,我們需要Nginx能夠在沒有使用者干預的情況下讀取檔案。密碼短語會阻止這種情況發生,因為我們必須在每次重啟後輸入密碼 -days 365:此選項設定證書被視為有效的時間長度。我們在這裡設定了一年
5、配置nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name demod.example.com;
ssl_certificate /usr/local/nginx/ssl_key/server_cert.crt;
ssl_certificate_key /usr/local/nginx/ssl_key/private.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
6、登入nginx進行驗證