一、之前对外暴露接口地址为http://172.28.5.4
客户要求升级为https,由于是IP地址访问,所以生成自签名证书并设置nginx
二、home目录下新建new_cert目录用于存放证书以及相关文件
[root@localhost home]# mkdir new_cert
三、使用openssl分别生成服务端和客户端的公钥及私钥
1、生成服务端私钥
[root@localhost home]# cd new_cert/ [root@localhost new_cert]# openssl genrsa -out server.key 1024 Generating RSA private key, 1024 bit long modulus ..............................++++++ ...........................++++++ e is 65537 (0x10001) [root@localhost new_cert]#
2、生成服务端公钥
[root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem writing RSA key [root@localhost new_cert]#
3、生成客户端私钥
[root@localhost new_cert]# openssl genrsa -out client.key 1024 Generating RSA private key, 1024 bit long modulus ...............................................++++++ ...................++++++ e is 65537 (0x10001) [root@localhost new_cert]#
4、生成客户端公钥
[root@localhost new_cert]# openssl rsa -in client.key -pubout -out client.pem writing RSA key [root@localhost new_cert]#
[root@localhost new_cert]# ll total 16 -rw-r--r-- 1 root root 887 Jan 11 16:06 client.key -rw-r--r-- 1 root root 272 Jan 11 16:07 client.pem -rw-r--r-- 1 root root 887 Jan 11 15:55 server.key -rw-r--r-- 1 root root 272 Jan 11 16:05 server.pem [root@localhost new_cert]#
四、生成CA证书
1、生成CA私钥
[root@localhost new_cert]# openssl genrsa -out ca.key 1024 Generating RSA private key, 1024 bit long modulus .....++++++ .........++++++ e is 65537 (0x10001) [root@localhost new_cert]#
2、生成CA证书签名请求文件CSR
[root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:chaoyang Organization Name (eg, company) [Default Company Ltd]:hl95_ca Organizational Unit Name (eg, section) []:hl95_sms_ca Common Name (eg, your name or your server's hostname) []:172.28.5.4 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:172.28.5.4 [root@localhost new_cert]#
3、使用私钥KEY文件和CSR文件签名生成CRT证书
[root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt Signature ok subject=/C=cn/ST=beijing/L=chaoyang/O=honglian95/OU=honglian95_hlsms/CN=test.hl95.com Getting Private key [root@localhost new_cert]#
五、生成服务器端和客户端CRT证书
1、生成服务端签名请求CSR文件
[root@localhost new_cert]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:chaoyang Organization Name (eg, company) [Default Company Ltd]:hl95_server Organizational Unit Name (eg, section) []:hl95_sms_server Common Name (eg, your name or your server's hostname) []:172.28.5.4 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:172.28.5.4 [root@localhost new_cert]#
2、生成客户端签名请求CSR文件
[root@localhost new_cert]# openssl req -new -key client.key -out client.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:chaoyang Organization Name (eg, company) [Default Company Ltd]:hl95_client Organizational Unit Name (eg, section) []:hl95_sms_client Common Name (eg, your name or your server's hostname) []:172.28.5.4 Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:172.28.5.4 [root@localhost new_cert]#
这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以
3、向刚才生成的自己的CA机构申请签名CRT证书(服务端和客户端)
[root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt Signature ok subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4 Getting CA Private Key [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt Signature ok subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_client/OU=hl95_sms_client/CN=172.28.5.4
Getting CA Private Key [root@localhost new_cert]#
[root@localhost new_cert]# ll total 48 -rw-r--r-- 1 root root 899 Jan 11 17:35 ca.crt -rw-r--r-- 1 root root 708 Jan 11 17:30 ca.csr -rw-r--r-- 1 root root 887 Jan 11 17:12 ca.key -rw-r--r-- 1 root root 17 Jan 11 17:54 ca.srl -rw-r--r-- 1 root root 895 Jan 11 17:54 client.crt -rw-r--r-- 1 root root 704 Jan 11 17:50 client.csr -rw-r--r-- 1 root root 887 Jan 11 16:06 client.key -rw-r--r-- 1 root root 272 Jan 11 16:07 client.pem -rw-r--r-- 1 root root 895 Jan 11 17:53 server.crt -rw-r--r-- 1 root root 704 Jan 11 17:48 server.csr -rw-r--r-- 1 root root 887 Jan 11 15:55 server.key -rw-r--r-- 1 root root 272 Jan 11 16:05 server.pem [root@localhost new_cert]#
六、最后生成需要的key和crt文件
[root@localhost new_cert]# openssl rsa -in server.key -out server_nginx.key writing RSA key [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey server_nginx.key -out server_nginx.crt Signature ok subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4 Getting Private key [root@localhost new_cert]#
七、将key和crt文件上传到nginx上并配置nginx配置文件(https://xxx.xxx.xxx.xxx:8061)
user nginx; worker_processes 8; error_log /var/log/nginx/info.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; accept_mutex on; multi_accept on; use epoll; } http { include mime.types; default_type application/octet-stream; #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' # '$status $body_bytes_sent "$http_referer" ' # '"$http_user_agent" "$http_x_forwarded_for"'; #access_log logs/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; upstream sms-web-wx { server 172.28.5.6:8061; server 172.28.5.8:8061; } server { listen 80; server_name localhost; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://sms-web-wx; proxy_set_header host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for; } error_page 500 502 503 504 /50x.html; location = /50x.html { root html; } } server { listen 8061 ssl; server_name zx.sms.web; ssl_certificate /home/cert/server_nginx.crt; ssl_certificate_key /home/cert/server_nginx.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; location / { proxy_pass http://sms-web-wx; proxy_set_header host $host; proxy_set_header X-real-ip $remote_addr; proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for; } } }
八、浏览器访问
点击继续浏览
再点击证书错误,查看证书
提示证书不受信任,点击“安装证书”
安装完毕,重启浏览器
不再出现证书错误提示了
internet选项-内容-证书
九、将crt格式证书转换为pfx格式证书(用于tomcat)
[root@localhost new_cert]# openssl pkcs12 -export -in server_nginx.crt -inkey server_nginx.key -out client.pfx Enter Export Password: Verifying - Enter Export Password:
