创建CA证书
使用openssl生成证书,并应用到nginx的https协议上
1. 安装nginx、openssl
# yum -y install nginx openssl
2. 使用openssl生成私钥与证书
# mkdir -p /root/CA
# cd /root/CA
[root@localhost CA]# openssl genrsa > cert.key
Generating RSA private key, 2048 bit long modulus (2 primes)
..................+++++
...........+++++
e is 65537 (0x010001)
[root@localhost CA]# openssl req -new -x509 -key cert.key > cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:test
Organizational Unit Name (eg, section) []:test
Common Name (e.g. server FQDN or YOUR name) []:catest
Email Address []:test.com.cn
3. 编辑nginx配置文件
# vim /etc/nginx/nginx.conf
修改ssl_certificate 、ssl_certificate_key这两个参数的路径
以下部分取消注释:
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "/root/CA/cert.pem";
ssl_certificate_key "/root/CA/cert.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
- 重启nginx服务
# systemctl restart nginx
#systemctl stop firewalld
6. 访问网址:https://IP
或https://IP:433
访问成功,页面提示“您的连接不是私密连接”
7. 点击“高级”->"继续前往"
8. 点击左上角“!不安全”->证书
就可以看到自己设置的证书信息啦!