linux 下生成ssl自签证书并配置nginx通过https访问

一、之前对外暴露接口地址为http://172.28.5.4

客户要求升级为https，由于是IP地址访问，所以生成自签名证书并设置nginx

二、home目录下新建new_cert目录用于存放证书以及相关文件

[root@localhost home]# mkdir new_cert

三、使用openssl分别生成服务端和客户端的公钥及私钥

1、生成服务端私钥

[root@localhost home]# cd new_cert/
[root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus
..............................++++++
...........................++++++
e is 65537 (0x10001)
[root@localhost new_cert]# 

2、生成服务端公钥

[root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
[root@localhost new_cert]# 

3、生成客户端私钥

[root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus
...............................................++++++
...................++++++
e is 65537 (0x10001)
[root@localhost new_cert]# 

4、生成客户端公钥

[root@localhost new_cert]# openssl rsa  -in client.key -pubout -out client.pem
writing RSA key
[root@localhost new_cert]# 

[root@localhost new_cert]# ll
total 16
-rw-r--r-- 1 root root 887 Jan 11 16:06 client.key
-rw-r--r-- 1 root root 272 Jan 11 16:07 client.pem
-rw-r--r-- 1 root root 887 Jan 11 15:55 server.key
-rw-r--r-- 1 root root 272 Jan 11 16:05 server.pem
[root@localhost new_cert]# 

 

四、生成CA证书

1、生成CA私钥

[root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
.........++++++
e is 65537 (0x10001)
[root@localhost new_cert]# 

2、生成CA证书签名请求文件CSR

[root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_ca
Organizational Unit Name (eg, section) []:hl95_sms_ca
Common Name (eg, your name or your server's hostname) []:172.28.5.4
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]# 

3、使用私钥KEY文件和CSR文件签名生成CRT证书

[root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=honglian95/OU=honglian95_hlsms/CN=test.hl95.com
Getting Private key
[root@localhost new_cert]# 

 

五、生成服务器端和客户端CRT证书

1、生成服务端签名请求CSR文件

[root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_server
Organizational Unit Name (eg, section) []:hl95_sms_server
Common Name (eg, your name or your server's hostname) []:172.28.5.4
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]# 

2、生成客户端签名请求CSR文件

[root@localhost new_cert]# openssl req -new -key client.key -out client.csr       
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_client
Organizational Unit Name (eg, section) []:hl95_sms_client
Common Name (eg, your name or your server's hostname) []:172.28.5.4
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]# 

这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以

3、向刚才生成的自己的CA机构申请签名CRT证书（服务端和客户端）

[root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4
Getting CA Private Key
[root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_client/OU=hl95_sms_client/CN=172.28.5.4

 Getting CA Private Key [root@localhost new_cert]# 

[root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 899 Jan 11 17:35 ca.crt
-rw-r--r-- 1 root root 708 Jan 11 17:30 ca.csr
-rw-r--r-- 1 root root 887 Jan 11 17:12 ca.key
-rw-r--r-- 1 root root  17 Jan 11 17:54 ca.srl
-rw-r--r-- 1 root root 895 Jan 11 17:54 client.crt
-rw-r--r-- 1 root root 704 Jan 11 17:50 client.csr
-rw-r--r-- 1 root root 887 Jan 11 16:06 client.key
-rw-r--r-- 1 root root 272 Jan 11 16:07 client.pem
-rw-r--r-- 1 root root 895 Jan 11 17:53 server.crt
-rw-r--r-- 1 root root 704 Jan 11 17:48 server.csr
-rw-r--r-- 1 root root 887 Jan 11 15:55 server.key
-rw-r--r-- 1 root root 272 Jan 11 16:05 server.pem
[root@localhost new_cert]# 

 六、最后生成需要的key和crt文件

[root@localhost new_cert]# openssl rsa -in server.key -out server_nginx.key
writing RSA key
[root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey server_nginx.key -out server_nginx.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4
Getting Private key
[root@localhost new_cert]# 

七、将key和crt文件上传到nginx上并配置nginx配置文件（https://xxx.xxx.xxx.xxx:8061）

user  nginx;
worker_processes  8;

error_log  /var/log/nginx/info.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections 1024;
    accept_mutex on;
    multi_accept on;
    use epoll;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    upstream sms-web-wx {
        server 172.28.5.6:8061;
        server 172.28.5.8:8061;
    }

    server {
        listen       80;
        server_name  localhost;

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

       
        location / {

            proxy_pass  http://sms-web-wx;
            proxy_set_header host $host;
            proxy_set_header X-real-ip $remote_addr;
            proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for;

         }
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   html;
        }


    }

    server {
        listen       8061 ssl;
        server_name  zx.sms.web;

        ssl_certificate      /home/cert/server_nginx.crt;
        ssl_certificate_key  /home/cert/server_nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;

        location / {

            proxy_pass  http://sms-web-wx;
            proxy_set_header host $host;
            proxy_set_header X-real-ip $remote_addr;
            proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for;

         }
   }
}

八、浏览器访问

 

 点击继续浏览

 

 再点击证书错误，查看证书

 

 

 

 提示证书不受信任，点击“安装证书”

 

 安装完毕，重启浏览器

 

 不再出现证书错误提示了

 internet选项-内容-证书

 

 

 

 

 

 

  九、将crt格式证书转换为pfx格式证书（用于tomcat）

[root@localhost new_cert]# openssl pkcs12 -export -in server_nginx.crt -inkey server_nginx.key -out client.pfx
Enter Export Password:
Verifying - Enter Export Password: