Generate ssl self-signed certificate under linux, and configure nginx to access through https

Language 2023-09-10 06:51:27 views: null

1. The previously exposed interface address is http://192.168.2.246

Because the domain name is mapped, it needs to be upgraded to https. Since it is accessed by IP address, generate a self-signed certificate and set nginx

2. Create a new_cert directory under the home directory to store certificates and related files

[root@localhost home]# mkdir new_cert

3. Use openssl to generate the public key and private key of the server and client respectively

1. Generate server private key

(base) [root@localhost ~]# mkdir new_cert
(base) [root@localhost ~]# cd new_cert/
(base) [root@localhost new_cert]# openssl genrsa -out server.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.......................+++++
............+++++
e is 65537 (0x010001)

2. Generate server public key

(base) [root@localhost new_cert]# openssl rsa -in server.key -pubout -out server.pem
writing RSA key
(base) [root@localhost new_cert]# openssl genrsa -out client.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
.........................+++++
..........+++++
e is 65537 (0x010001)

3. Generate client private key

(base) [root@localhost new_cert]# openssl rsa  -in client.key -pubout -out client.pem
writing RSA key

4. Generate client public key

(base) [root@localhost new_cert]# ll
total 16
-rw------- 1 root root 887 Apr  6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr  6 14:44 client.pem
-rw------- 1 root root 887 Apr  6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr  6 14:44 server.pem
(base) [root@localhost new_cert]#

4. Generate CA certificate

1. Generate CA private key

(base) [root@localhost new_cert]# openssl genrsa -out ca.key 1024
Generating RSA private key, 1024 bit long modulus (2 primes)
..........+++++
.........................+++++
e is 65537 (0x010001)
(base) [root@localhost new_cert]#

2. Generate CA certificate signing request file CSR

(base) [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_ca
Organizational Unit Name (eg, section) []:hlhk_sms_ca
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#

3. Use the private key KEY file and CSR file signature to generate a CRT certificate

(base) [root@localhost new_cert]# openssl x509 -req -in ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_ca, OU = hlhk_sms_ca, CN = 192.168.2.246
Getting Private key
(base) [root@localhost new_cert]#

5. Generate server-side and client-side CRT certificates

1. Generate server signature request CSR file

(base) [root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_serve
Organizational Unit Name (eg, section) []:hlhk_sms_serve
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#

2. Generate client signature request CSR file

(base) [root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:beijing
Locality Name (eg, city) []:chaoyang
Organization Name (eg, company) [Internet Widgits Pty Ltd]:hlhk_client
Organizational Unit Name (eg, section) []:hlhk_sms_client
Common Name (e.g. server FQDN or YOUR name) []:192.168.2.246
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:192.168.2.246
(base) [root@localhost new_cert]#

Here, the Organization Name (eg, company) and Organizational Unit Name of the server and client must be different from those of the CA.

3. Apply for a signed CRT certificate (server and client) from your own CA organization just generated

(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = 192.168.2.246
Getting CA Private Key
(base) [root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial -in client.csr -out client.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_client, OU = hlhk_sms_client, CN = 192.168.2.246
Getting CA Private Key
(base) [root@localhost new_cert]#

(base) [root@localhost new_cert]# ll
total 48
-rw-r--r-- 1 root root 891 Apr  6 14:46 ca.crt
-rw-r--r-- 1 root root 737 Apr  6 14:46 ca.csr
-rw------- 1 root root 891 Apr  6 14:44 ca.key
-rw-r--r-- 1 root root  41 Apr  6 14:50 ca.srl
-rw-r--r-- 1 root root 904 Apr  6 14:50 client.crt
-rw-r--r-- 1 root root 749 Apr  6 14:49 client.csr
-rw------- 1 root root 887 Apr  6 14:44 client.key
-rw-r--r-- 1 root root 272 Apr  6 14:44 client.pem
-rw-r--r-- 1 root root 899 Apr  6 14:49 server.crt
-rw-r--r-- 1 root root 712 Apr  6 14:47 server.csr
-rw------- 1 root root 887 Apr  6 14:43 server.key
-rw-r--r-- 1 root root 272 Apr  6 14:44 server.pem
(base) [root@localhost new_cert]#

6. Finally generate the required key and crt files

(base) [root@localhost new_cert]# openssl rsa -in server.key -out server_nginx.key
writing RSA key
(base) [root@localhost new_cert]# openssl x509 -req -days 3650 -in server.csr -signkey server_nginx.key -out server_nginx.crt
Signature ok
subject=C = cn, ST = beijing, L = chaoyang, O = hlhk_serve, OU = hlhk_sms_serve, CN = 192.168.2.246
Getting Private key
(base) [root@localhost new_cert]#

7. Upload the key and crt files to nginx and configure the nginx configuration file (https://xxx.xxx.xxx.xxx:8061)

user  nginx;
worker_processes  8;

error_log  /var/log/nginx/info.log warn;
pid        /var/run/nginx.pid;


events {
    
    
    worker_connections 1024;
    accept_mutex on;
    multi_accept on;
    use epoll;
}

http {
    
    
    include       mime.types;
    default_type  application/octet-stream;

    sendfile        on;

    keepalive_timeout  65;

    #gzip  on;

    server {
    
    
        listen       8061 ssl;
        server_name  hlhk.com;

        ssl_certificate      /root/new_cert/server_nginx.crt;
        ssl_certificate_key  /root/new_cert/server_nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_prefer_server_ciphers  on;

        location / {
    
    

            proxy_pass  http://hlhk.com;
            proxy_set_header host $host;
            proxy_set_header X-real-ip $remote_addr;
            proxy_set_header X-forwarded-for $proxy_add_x_forwarded_for;

         }
   }
}

Guess you like

Origin blog.csdn.net/weixin_54514751/article/details/129994166
Recommended
TIOBE May list: Fortran “resurrected” into Top 10
GCC 14.1 released
Ranking
B. Little Girl and Game【1300 / 回文字符串 博弈论】
CIKERS Shane 20190613
"Javascript advanced programming" study notes - the constructor and prototype
beeline hiveserver2 start
springboot - Automatically backup mysql data every day
Data Storage Full Solution--Detailed Persistence Technology
Detailed Explanation of Spring Web MVC DispatcherServlet—Official Original
TCP / IP protocol layers structure and function
Command type literal pos: unknown; Fallback type literal pos: unknown] with root cause
Design of multifunctional curtain controller with indoor anti-theft alarm
Daily
More
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)

Code World

© 2018 codetd.com