生成证书,一共四步
1) 生成RSA私钥 (会要求输入至少4位密码)
# openssl genrsa -des3 -out private.key 2048
# 2) 根据已生成的RSA私钥输出无加密的私钥(输入第1步输入的密码。这步可以跳过,以后要给nginx使用,每次reload nginx配置时候都要你验证这个密码的)
# openssl rsa -in private.key -out private.key
# 3) 根据这个key文件生成证书请求文件(正式的拿这个文件找CA颁发,测试的第4步自己颁发)
# openssl req -new -key private.key -out csr.csr
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:sichuan
Locality Name (eg, city) []:chengdu
Organization Name (eg, company) [Internet Widgits Pty Ltd]:zgxx
Organizational Unit Name (eg, section) []:zgxx
Common Name (e.g. server FQDN or YOUR name) []:eyunpiao.cn (这里填写域名,不然使用会出错)
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 (这个密码在配置tomcat会用到)
An optional company name []:zgxx
# 4) 使用证书请求签名文件和私钥生成crt证书 (这里3650是证书有效期,单位为天,这个可以根据自己的实际情况填写)
# openssl x509 -req -days 3650 -in csr.csr -signkey private.key -out ssl.crt
生成结果
private.key ——-用户的私钥,要保存好,一般要放在服务器上的某个位置
csr.csr ———证书请求文件,
ssl.crt ———生成的X509证书,供客户端下载使用
将三个文件拷贝到tomcat或者nginx的conf目录下。然后进行配置
tomcat配置server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEnabled="true"
SSLCertificateFile="${catalina.base}\conf\ssl.crt"
SSLCertificateKeyFile="${catalina.base}\conf\private.key"
SSLPassword="123456"/>
nginx配置nginx.config
server {
# listen 80 default backlog=2048; (如果放开,既可以http访问,也可以https访问)
listen 443 ssl;
server_name eyunpiao.cn;
. root /home/nginx/html;
ssl_certificate /home/nginx/conf/ssl.crt;
ssl_certificate_key /home/nginx/conf/private.key;
#对SSL性能调优
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!eNULL:!NULL:!DH:!EDH:!AESGCM;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
}