1.创建服务器证书密钥文件 server.key
[root@3-107 ~]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ .................................................................................................................+++ e is 65537 (0x010001) Enter pass phrase for server.key: xxx Verifying - Enter pass phrase for server.key:xxx
2.创建服务器证书的申请文件 server.csr
[root@3-107 ~]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:xxx --输入上一步的密码 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:CN ← 国家代号,中国输入CN State or Province Name (full name) [Some-State]:TianJin ← 省的全名,拼音 Locality Name (eg, city) []:TianJin ← 市的全名,拼 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Okay Airways ← 公司英文名 Organizational Unit Name (eg, section) []:e-Enabling ← 部门名称,可以不输入 Common Name (e.g. server FQDN or YOUR name) []:lsapl.okair.net ← 公司域名 Email Address []:[email protected] ← 公司邮箱名 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: ← 可以不输入 An optional company name []: ← 可以不输入
3.备份一份服务器密钥文件
#cp server.key server.key.bak
4.去除文件口令
#openssl rsa -in server.key.bak -out server.key
5.生成证书文件server.crt(公钥)
#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt --3650表示十年有效期
6.将公钥/私钥文件放到nginx目录下
#mkdir -p /etc/nginx/ssl #cp server.crt /etc/nginx/ssl/ --复制公钥 #cp server.key /etc/nginx/ssl/ --复制私钥
——————————————————————————————————————————————————————————————————————————
https 原理部分:
密钥分为公钥和私钥
对称加密的意思就是,加密数据用的密钥,跟解密数据用的密钥是一样的。
非对称加密的意思就是,加密数据用的密钥(公钥),跟解密数据用的密钥(私钥)是不一样的。
https请求过程:
1.服务器发送公钥给客户端
2.客户生成一个随机数作为对称加密密钥,然后用服务器公钥加密。返给服务器
3.服务器收到数据,用私钥解密,得到随机数
4.服务器和客户端直接用这个随机数作为密钥,加密解密以后的数据
说白了,非对称加密只用作传递这个对称加密的密钥
Reference:
https://blog.csdn.net/kobejayandy/article/details/52433660
https://blog.csdn.net/Small_dong_/article/details/52534738