Fork me on GitHub

使用自生成的秘钥实现https 加密

1、生成证书

cd /etc/pki/tls/certs/
make www.a.net.crt

umask 77 ; \
/usr/bin/openssl genrsa -aes128 2048 > www.a.net.key
Generating RSA private key, 2048 bit long modulus
...............................................+++
......................................................+++
e is 65537 (0x10001)
Enter pass phrase:
139733477795744:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase:
139733477795744:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase:
139733477795744:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:831:You must type in 4 to 1023 characters
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
/usr/bin/openssl req -utf8 -new -key www.a.net.key -x509 -days 365 -out www.a.net.crt
Enter pass phrase for www.a.net.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:a.net
Organizational Unit Name (eg, section) []:opt
Common Name (eg, your name or your server's hostname) []:www.a.net
Email Address []:

现在生成的证书是加密的,这样会导致每次重启服务都需要输入密码。

2、将加密的文件解密,并生成新的文件

openssl rsa -in www.a.net.key -out www.a.net.a.net.key

3、新建加密文件存放的文件夹

mkdir /etc/nginx/ssl

4、将刚刚自生成的证书移动到存放加密文件的文件夹下

mv /etc/pki/tls/certs/www.a.net.* /etc/nginx/ssl/

5、将证书和私钥文件都修改为600(默认应该就是)

chmod 600 /etc/nginx/ssl/*

6、新建ssl 文件夹,并生成一个测试的主页面

mkdir /data/ssl

 echo /data/ssl/index.html > /data/ssl/index.html

7、修改自己建立的虚拟主机的配置文件

vim /etc/nginx/conf.d/test.conf 
server {
        listen 443 ssl;
        server_name www.a.net;
        root /data/ssl/;
        ssl_certificate /etc/nginx/ssl/www.a.net.crt;
        ssl_certificate_key /etc/nginx/ssl/www.a.net.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /var/log/nginx/a.net.log443 main;
}

8、启动nginx服务

nginx

9、浏览器测试访问,由于是自己搭建的ca,所以系统会提示不安全

10、将http 和https的内容修改为统一(这里采用的是两个虚拟主机)

server {
        listen 443 ssl;
        server_name www.a.net;
        root /data/site1/;
        ssl_certificate /etc/nginx/ssl/www.a.net.crt;
        ssl_certificate_key /etc/nginx/ssl/www.a.net.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /var/log/nginx/a.net.log443 main;
}

server {
        access_log /var/log/nginx/a.net.log1 main;
        server_name www.a.net;
        root /data/site1;
        gzip on;
        gzip_comp_level 9;
        gzip_min_length 64;
        gzip_vary on;
        gzip_types text/xml text/css application/javescript;

        location / {
      

 11、一个虚拟主机监听两个端口

server {
        listen 443 ssl;
        listen 80;
        server_name www.a.net;
        root /data/site1/;
        ssl_certificate /etc/nginx/ssl/www.a.net.crt;
        ssl_certificate_key /etc/nginx/ssl/www.a.net.key;
        ssl_session_cache shared:sslcache:20m;
        ssl_session_timeout 10m;
        access_log /var/log/nginx/a.net.log443 main;
}

 

posted @ 2021-06-03 15:01  Alex-Lzy  阅读(708)  评论(0编辑  收藏  举报