ca证书生成及nginx配置
CA证书
- CA证书及密钥生成方法一----直接生成CA密钥及其自签名证书
# 如果想以后读取私钥文件ca.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:123456替换成-nodes
openssl req -newkey rsa:2048 -passout pass:123456 -keyout ca.key -x509 -days 365 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/emailAddress=youremail@qq.com"
- CA证书及密钥生成方法二----分步生成CA密钥及其自签名证书
openssl genrsa -aes256 -passout pass:123456 -out ca.key 2048
openssl req -new -x509 -days 365 -key ca.key -passin pass:123456 -out ca.crt -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CA/emailAddress=youremail@qq.com"
服务器证书
- 服务器证书及密钥生成方法一----直接生成服务器密钥及待签名证书
# 如果想以后读取私钥文件server.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:server替换成-nodes
openssl req -newkey rsa:2048 -passout pass:server -keyout server.key -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/emailAddress=youremail@qq.com"
- 服务器证书及密钥生成方法二----分步生成服务器密钥及待签名证书
# openssl genrsa -aes256 -passout pass:server -out server.key 2048
# openssl req -new -key server.key -passin pass:server -out server.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=SERVER/emailAddress=youremail@qq.com"
证书签名
# 使用CA证书及密钥对服务器证书进行签名:
openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 365 -in server.csr -CA ca.crt -CAkey ca.key -passin pass:123456 -CAcreateserial -out server.crt
# 将加密的RSA密钥转成未加密的RSA密钥,避免每次读取都要求输入解密密码
# 密码就是生成私钥文件时设置的passout、读取私钥文件时要输入的passin,比如这里要输入“server”
openssl rsa -in server.key -out server.unsecure.key
客户端证书
- 客户端证书及密钥生成方法一----直接生成客户端密钥及待签名证书
# 如果想以后读取私钥文件client.key时不需要输入密码,亦即不对私钥进行加密存储,那么将-passout pass:client替换成-nodes
openssl req -newkey rsa:2048 -passout pass:client -keyout client.key -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/emailAddress=youremail@qq.com"
- 客户端证书及密钥生成方法二----分步生成客户端密钥及待签名证书:
# openssl genrsa -aes256 -passout pass:client -out client.key 2048
# openssl req -new -key client.v -passin pass:client -out client.csr -subj "/C=CN/ST=GD/L=SZ/O=COM/OU=NSP/CN=CLIENT/emailAddress=youremail@qq.com"
证书签名
使用CA证书及密钥对客户端证书进行签名:
openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 365 -in client.csr -CA ca.crt -CAkey ca.key -passin pass:123456 -CAcreateserial -out client.crt
# 将加密的RSA密钥转成未加密的RSA密钥,避免每次读取都要求输入解密密码
# 密码就是生成私钥文件时设置的passout、读取私钥文件时要输入的passin,比如这里要输入“client”
openssl rsa -in client.key -out client.unsecure.key
nginx配置
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
client_max_body_size 1024M;
keepalive_timeout 1800;
#tcp_nopush on;
#gzip on;
upstream backend{
server server_connect_to;
}
server {
listen 443 ssl;
server_name nginxwithssl.com;
ssl_certificate /etc/ssl/nginx/server.crt;
ssl_certificate_key /etc/ssl/nginx/server.key;
ssl_client_certificate /etc/ssl/nginx/ca.crt;
ssl_verify_client on;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
location / {
proxy_pass http://backend;
}
}
include /etc/nginx/conf.d/*.conf;
}
本文来自博客园,作者:ximon,如果有错误请联系我改正,互相学习!
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】博客园社区专享云产品让利特惠,阿里云新客6.5折上折
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 在鹅厂做java开发是什么体验
· 百万级群聊的设计实践
· WPF到Web的无缝过渡:英雄联盟客户端的OpenSilver迁移实战
· 永远不要相信用户的输入:从 SQL 注入攻防看输入验证的重要性
· 浏览器原生「磁吸」效果!Anchor Positioning 锚点定位神器解析