linux运维、架构之路-Nginx配置https证书
一、证书制作
1、生成秘钥key
[root@docker ssl]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ............................................................+++ .................................+++ e is 65537 (0x10001) Enter pass phrase for server.key: Verifying - Enter pass phrase for server.key:
执行过程中会要求输入密码,两次输入同一个即可。此命令生成server.key文件
以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令
openssl rsa -in server.key -out server.key
2、创建服务器证书的申请文件server.csr
openssl req -new -key server.key -out server.csr
[root@docker ssl]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:192.168.56.100 Email Address []:
3、创建CA证书
openssl req -new -x509 -key server.key -out ca.crt -days 3650
[root@docker ssl]# openssl req -new -x509 -key server.key -out ca.crt -days 3650 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []: Locality Name (eg, city) [Default City]: Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []:192.168.56.100Email Address []:
此时,可以得到一个ca.crt的证书,这个证书用来给自己的证书签名
4、创建自当前日期起有效期为期十年的服务器证书server.crt
[root@docker ssl]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt Signature ok subject=/C=CN/L=Default City/O=Default Company Ltd/CN=192.168.56.100 Getting CA Private Key
5、查看生成的文件,可以看到一共生成了5个文件
[root@docker ssl]# ll 总用量 20 -rw-r--r-- 1 root root 1285 5月 9 14:45 ca.crt -rw-r--r-- 1 root root 17 5月 9 14:45 ca.srl -rw-r--r-- 1 root root 1168 5月 9 14:45 server.crt -rw-r--r-- 1 root root 1017 5月 9 14:44 server.csr -rw-r--r-- 1 root root 1675 5月 9 14:41 server.key
server.crt
和server.key
就是你的nginx需要的证书文件
二、Nginx配置
1、打开的nginx配置文件,搜索443找到https的配置
server { listen 443 ssl; server_name localhost; ssl_certificate /app/nginx/ssl/server.crt; ssl_certificate_key /app/nginx/ssl/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } } }
2、修改证书路径
ssl_certificate
改为server.crt
的路径,将ssl_certificate_key
改为server.key
的路径
3、平滑重启Nignx服务
nginx -s reload
nginx的https就可以使用了,默认443端口,使用浏览器访问测试
成功最有效的方法就是向有经验的人学习!