• 基于nginx结合openssl实现https


    在做之前需要将nginx建好,保证端口打开

    一、检查openssl是否安装

    [root@localhost ~]# rpm -qa openssl
    openssl-1.0.2k-16.el7_6.1.x86_64

    二、创建根证书CA

    1、生成CA私钥

    复制代码
    [root@localhost openssl]# openssl genrsa -out local.key 2048
    Generating RSA private key, 2048 bit long modulus
    .............................+++
    ..............................................................................+++
    e is 65537 (0x10001)
    [root@localhost openssl]# ls local.key
    复制代码

    2、生成CA证书请求

    复制代码
    [root@localhost openssl]# openssl req -new -key local.key -out local.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:China
    string is too long, it needs to be less than  2 bytes long
    Country Name (2 letter code) [XX]:CN   //国家
    State or Province Name (full name) []:beijing   //省
    Locality Name (eg, city) [Default City]:beijing  //城市
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:test   //部门
    Common Name (eg, your name or your server's hostname) []:test   //主机名
    Email Address []:test@test.com   //邮箱
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:tanxiao    //密码
    An optional company name []:tanxiao   //公司名
    
    [root@localhost openssl]# ls local.csr local.key
    复制代码

    3、生成CA根证书

    这个生成CA证书的命令不容易搞懂
    1.通过秘钥 生成证书请求文件
    2.通过证书请求文件 生成最终的证书 
     -in 使用证书请求文件生成证书,-signkey 指定私钥
    req:提供生成证书的请求文件,验证证书和创建根CA
    -new:表示新生成一个证书请求
    -x509:直接输出证书
    -key:生成证书请求时用到的私钥文件
    -out:输出文件
    复制代码
    [root@localhost openssl]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
    Signature ok
    subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
    Getting Private key
    复制代码

    三、根据CA根证书创建server根证书

    1、生成server私钥

    [root@localhost openssl]# openssl genrsa -out my_server.key 2048 
    Generating RSA private key, 2048 bit long modulus
    ..+++
    ....................................................+++
    e is 65537 (0x10001)

    2、生成server证书请求

    复制代码
    [root@localhost openssl]# openssl req -new -key my_server.key -out my_server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:beijing
    Locality Name (eg, city) [Default City]:beijing
    Organization Name (eg, company) [Default Company Ltd]:
    Organizational Unit Name (eg, section) []:test
    Common Name (eg, your name or your server's hostname) []:test
    Email Address []:test@test.com
    
    Please enter the following 'extra' attributes
    to be sent with your certificate request
    A challenge password []:tanxiao
    An optional company name []:tanxiao
    
    [root@localhost openssl]# ls local.crt local.csr local.key my_server.csr my_server.key
    复制代码

    3、生成server证书

    复制代码
    [root@localhost openssl]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
    Signature ok
    subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/emailAddress=test@test.com
    Getting CA Private Key
    复制代码

    四、配置nginx支持SSL(在配置nginx时必须安装ssl模块)

    复制代码
    [root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
    server { listen 80; listen 443 default ssl; keepalive_timeout 100; ssl_certificate /root/local.crt; ssl_certificate_key /root/local.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; server_name localhost; charset utf-8; }
    复制代码

    五、测试

     

    https://www.cnblogs.com/tanxiaojuncom/

  • 相关阅读:
    C++中派生类与基类的同名成员调用机制
    一元运算符重载
    二元运算符重载
    const修饰符在不同位置带来的效应
    C++中指针与引用的区别
    基本的查找算法
    排序算法
    指针是怎么回事
    面试总结(1)
    价值观作业
  • 原文地址:https://www.cnblogs.com/laohantui/p/11548500.html
Copyright © 2020-2023  润新知