Fork me on GitHub

ca证书生成及nginx配置

CA证书

  1. CA证书及密钥生成方法一----直接生成CA密钥及其自签名证书
# 如果想以后读取私钥文件ca.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:123456替换成-nodes
openssl req -newkey rsa:2048 -passout pass:123456 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/emailAddress=youremail@qq.com"
  1. CA证书及密钥生成方法二----分步生成CA密钥及其自签名证书
openssl genrsa -aes256 -passout pass:123456 -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -passin pass:123456 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/emailAddress=youremail@qq.com"

服务器证书

  1. 服务器证书及密钥生成方法一----直接生成服务器密钥及待签名证书
# 如果想以后读取私钥文件server.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:server替换成-nodes
openssl req -newkey rsa:2048 -passout pass:server -keyout server.key  -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/emailAddress=youremail@qq.com"
  1. 服务器证书及密钥生成方法二----分步生成服务器密钥及待签名证书
# openssl genrsa -aes256 -passout pass:server -out server.key 2048
# openssl req -new -key server.key -passin pass:server -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/emailAddress=youremail@qq.com"

证书签名

# 使用CA证书及密钥对服务器证书进行签名:
openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:123456 -CAcreateserial -out server.crt
# 将加密的RSA密钥转成未加密的RSA密钥,避免每次读取都要求输入解密密码
# 密码就是生成私钥文件时设置的passout、读取私钥文件时要输入的passin,比如这里要输入“server”
openssl rsa -in server.key -out server.unsecure.key

客户端证书

  1. 客户端证书及密钥生成方法一----直接生成客户端密钥及待签名证书
# 如果想以后读取私钥文件client.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:client替换成-nodes
openssl req -newkey rsa:2048 -passout pass:client -keyout client.key -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/emailAddress=youremail@qq.com"
  1. 客户端证书及密钥生成方法二----分步生成客户端密钥及待签名证书:
# openssl genrsa -aes256 -passout pass:client -out client.key 2048
# openssl req -new -key client.v -passin pass:client -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/emailAddress=youremail@qq.com"

证书签名

使用CA证书及密钥对客户端证书进行签名:
openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -passin pass:123456 -CAcreateserial -out client.crt
# 将加密的RSA密钥转成未加密的RSA密钥,避免每次读取都要求输入解密密码
# 密码就是生成私钥文件时设置的passout、读取私钥文件时要输入的passin,比如这里要输入“client”
openssl rsa -in client.key -out client.unsecure.key

nginx配置

user  nginx;
worker_processes  1;

error_log  /var/log/nginx/error.log warn;
pid        /var/run/nginx.pid;


events {
    worker_connections  1024;
}


http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/nginx/access.log  main;

    sendfile        on;
    client_max_body_size 1024M; 
    keepalive_timeout 1800;
    #tcp_nopush     on;

    #gzip  on;

    upstream backend{
        server server_connect_to;
    }

    server {
        listen  443 ssl;
        server_name             nginxwithssl.com;
        ssl_certificate         /etc/ssl/nginx/server.crt;
        ssl_certificate_key     /etc/ssl/nginx/server.key;
        ssl_client_certificate  /etc/ssl/nginx/ca.crt;
        ssl_verify_client on; 
        
        ssl_session_timeout 5m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers  HIGH:!aNULL:!MD5; 
        ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
        location / {
            proxy_pass http://backend;
        }
    }

    include /etc/nginx/conf.d/*.conf;
}

posted @   请叫我明哥i  阅读(601)  评论(0编辑  收藏  举报
相关博文:
阅读排行:
· 在鹅厂做java开发是什么体验
· 百万级群聊的设计实践
· WPF到Web的无缝过渡:英雄联盟客户端的OpenSilver迁移实战
· 永远不要相信用户的输入:从 SQL 注入攻防看输入验证的重要性
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析
  1. 1 篝火旁 吕达叶
  2. 2 飘向北方 那吾克热
  3. 3 呓语 毛不易
  4. 4 安和桥 宋冬野
  5. 5 漠河舞厅 柳爽
  6. 6 我还是没改变 大壮
飘向北方 - 那吾克热
00:00 / 00:00
An audio error has occurred, player will skip forward in 2 seconds.
点击右上角即可分享
微信分享提示