Nginx server SSL certificate
Generated pass key
The following command is used to generate a pass key of 2048bit, -passout pass: 111111 interactive input password used to avoid
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048 Generating RSA private key, 2048 bit long modulus ...........+++ .....................+++ e is 65537 (0x10001)
Generate key
The following command is used to generate a private key, -passin pass: 111111 and pass key is password corresponding to the password used to avoid interactive
[tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -in server.pass.key -out server.key writing RSA key
Generate a certificate signing request file (CSR)
The following command is used to generate csr file, where the need to fill in the relevant information institutions which CN must fill in the corresponding domain name server. Finally, the challenge password, the password is the csr
[tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Chaoyang Organization Name (eg, company) [Default Company Ltd]:HenSomeone Organizational Unit Name (eg, section) []:iSomeone Common Name (eg, your name or your server's hostname) []:internal.someone.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:222222 An optional company name []:
Send the CSR file to the CA service provider issuing certificates
If you purchased CA SSL certificate service provider, this step is sent to the service provider CSR on it. After you receive the certificate file contents are written to server.pem
Thus arranged on Nginx
server { listen 443; server_name www.example.com; ssl on; ssl_certificate /path/to/ssl/server.pem; ssl_certificate_key /path/to/ssl/server.key; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_session_cache shared:ssl_www_example_com:5m; ssl_session_timeout 5m; ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384: ECDHE-ECDSA-AES256-GCM-SHA384: ECDHE-RSA-AES128-GCM-SHA256: ECDHE-ECDSA-AES128-GCM-SHA256: DHE-RSA-AES256-GCM-SHA384 : DHE-RSA-AES128-GCM-SHA256: ECDHE-RSA-AES256-SHA384: ECDHE-ECDSA-AES256-SHA384: ECDHE-RSA-AES256-SHA: ECDHE-ECDSA-AES256-SHA: DHE-RSA-AES256-SHA256 : DHE-RSA-AES256-SHA: ECDHE-RSA-AES128-SHA256: ECDHE-ECDSA-AES128-SHA256: ECDHE-RSA-AES128-SHA: ECDHE-ECDSA-AES128-SHA: DHE-RSA-AES128-SHA256: AND -RSA-AES128-SHA: ECDHE-DES, RSA, SHA-CBC3: ECDHE-ECDSA-SHA-DES-CBC3: EDH-RSA, DES, SHA-CBC3: AES256-GCM-SHA384, SHA256, AES256, AES256-SHA : AES128-GCM-SHA256, SHA256, AES128, AES128-SHA, SHA-DES-CBC3; # ... location / { # ... } # ... }
Making a self-signed certificate
If you are going to make a self-signed certificate, the following operations generated pem certificate
[tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -in server.csr -signkey server.key -out server.pem Signature ok subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=iSomeone/CN=internal.someone.com Getting Private key
Nginx client authentication certificate
Nginx client authentication certificates and server SSL certificate actually does not matter, you can while using the CA-signed certificate, while using the customer's own production of side validation certificate.
Generating the server private key
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048 Generating RSA private key, 2048 bit long modulus ...............................................................................................................+++ ...................................+++ e is 65537 (0x10001) [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in ca.pass.key -out ca.key writing RSA key
Generating the server certificate
The following command will generate a server certificate ca.pem, used in the preparation to nginx.
[tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Chaoyang Organization Name (eg, company) [Default Company Ltd]:HenSomeone Organizational Unit Name (eg, section) []:iSomeone Common Name (eg, your name or your server's hostname) []:internal.someone.com Email Address []:
Generating the client private key
[tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048 Generating RSA private key, 2048 bit long modulus ..........................+++ .....+++ e is 65537 (0x10001) [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key writing RSA key
Generate a client certificate signing request CSR
[tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Chaoyang Organization Name (eg, company) [Default Company Ltd]:HenSomeone Organizational Unit Name (eg, section) []:Staff Common Name (eg, your name or your server's hostname) []:Staff Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:201907 An optional company name []:
Client certificate issued
The following command, using the private key and server certificate of the server, the client's CSR were issued to generate the server certificate. There is a -set_serial 01 parameters, if multiple clients issuing certificates, this number can not be repeated
[tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem Signature ok subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff Getting CA Private Key
The client certificate format conversion
Previously generated certificate format, can not be directly used for common applications, applications need to be converted into the desired
Full PEM:
[tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem
PFX - export password entered here is the need to enter a password when you import a PFX certificate application.
[tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem Enter Export Password: Verifying - Enter Export Password:
Nginx configuration of client authentication certificate
ssl_client_certificate /path/to/ca.pem; ssl_verify_client optional; # or `on` if you require client key