Table of contents
1. Nginx implements self-signed SSL certificate generation and configuration
4. Generate the decrypted private key key
5. Signature generation certificate
6. Configure the certificate and verify it
7. Error reporting of encrypted private key
1. Nginx implements self-signed SSL certificate generation and configuration
1. Introduction to nouns
①key private key = plaintext -- generate by yourself (genrsa)
②csr public key = generated by private key
③crt certificate = public key + signature (self-signed or signed by CA)
④Certificate: server.crt file is the certificate
⑤Signature: The process of using the private key key and public key csr to generate the certificate server.crt is called signature
2. Generate a private key
cd ~
#回到root用户的家目录下
openssl genrsa -des3 -out server.key 1024
#使用ssl生成私钥名为 server.key
3. Generate public key
openssl req -new -key server.key -out server.csr
#基于创建的server.key私钥创建server.csr公钥
openssl req -text -in server.csr -noout
#查看私钥加密的内容
4. Generate the decrypted private key key
openssl rsa -in server.key -out server.key.unsecure
#基于server.key私钥生成server.key.unsecure的解密私钥
5. Signature generation certificate
签名方法1:方法1需要输入密码,私钥密码为123456
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
#使用私钥和公钥生成server.crt签名证书,-days为365天 -in指定公钥,-signkey指定私钥,生成的前面证书为server.crt
签名方法2:
openssl x509 -req -days 365 -in server.csr -signkey server.key.unsecure -out server.crt
#使用解密私钥和公钥生成server.crt签名证书,-days为365天 -in指定公钥,-signkey指定解密后的私钥,生成的前面证书为server.crt
openssl -text -in server.crt -noout
#查看证书的内容,server.crt内容
6. Configure the certificate and verify it
yum install epel-release -y
yum install nginx -y
systemctl start nginx
#安装额外源 并安装启动nginx
vim /etc/nginx/nginx.conf
#编辑nginx主配置文件文件末尾添加内容如下
server {
listen 443 ssl ;
server_name localhost ;
ssl_certificate "/root/server.crt";
ssl_certificate_key "/root/server.key.unsecure";
}
#创建一个新的server模块,注意要在http模块里面,listen表示监听端口,server_name写主机地址或localhost都可以,ssl_certificate是签名证书的路径,ssl_certificate_key是私钥的路径,本文私钥路径写了解密后的私钥,写加密时的私钥有报错
systemctl start nginx
#重启nginx到浏览器上访问验证
7. Error reporting of encrypted private key
报错信息为:nginx: [emerg] cannot load certificate key "/root/server.key": PEM_read_bio_Priv
或者ELinux is preventing nginx from getattr access on the file /root/server.crt. For complete SELinux messages run: sealert -l ac7969d7-cfd3-462b-a388-4953e13a3e32
#journalctl -xe查看的报错信息为selinux阻止nginx读取私钥但是关闭selinux依然是此报错
ssl_certificate_key "/root/server.key";
#配置文件中写私钥服务会报错,此配置即会报错
ssl_certificate_key "/root/server.key.unsecure";
#改为解密后的私钥路径重启服务即可
