Nginx生成自定义证书
1、创建存放证书的目录,此目录可自定义
cd /usr/local/nginx/conf/cret
mkdir key
cd key
先安装依赖包
yum -y install porc-devel zlib-devel popt-devel openssl-devel openssl
创建nginx用户
useradd -M -s /sbin/nologin nginx
2、执行命令生成一个key
openssl genrsa -des3 -out ssl.key 4096
Generating RSA private key, 1024 bit long modulus
....++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ####输入密码
Verifying - Enter pass phrase for server.key: ####再次输入密码
###grnrsa生成证书 ####ssl.key证书的名字 ####4096字节
然后会要求你输入这个key文件密码。这里不推荐输入。因为以后要给nginx使用。每次reload nginx配置的时候都要你验证这个PAM密码。
由于生成时候必须输入密码,你可以输入后在删掉。
mv ssl.key xxx.key
openssl rsa -in xxx.key -out ssl.key
rm xxx.key
3、根据这个key文件生成证书请求文件
openssl req -new -key ssl.key -out ssl.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ ##哪个国家
State or Province Name (full name) []:BJ ##哪个市区
Locality Name (eg, city) [Default City]:BJ ##默认城市
Organization Name (eg, company) [Default Company Ltd]:BDGJ ##公司名称
Organizational Unit Name (eg, section) []:IT ##单位名称
Common Name (eg, your name or your server's hostname) []:www.benet.com ##服务器主机名等
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
其他默认回车
4、最后根据这2个文件(ssl.key ssl.csr)生成crt证书文件
openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt
这里365是证书有效期,推荐3650。这个大家随意。最后使用到的文件是key和crt文件。
5、在需要使用证书的nginx配置文件的server节点里加入一下配置就可以了。
server {
listen 8082 ssl;
server_name localhost;
ssl_certificate cert/ssl.crt;
ssl_certificate_key cert/ssl.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
location / {
...
}
接下来就可以正常启动了
6、重启nginx就大功告成了