Preface:
Http protocol to apply for free ssl certificate, or a more mainstream way, but gradually get some browsers do not support a self-signed certificate. After all, this is a platform for users and have become a safe manner, it is understandable, but there are many websites even without the use of commercial payment certificate can also apply for free ssl certificates of your site. So this approach only as a reference and record or you can use this self-signed certificate https on some older versions or individual browsers.
text:
If you use nginx as a reverse proxy, then this article can teach you how to configure in https nginx, so even if your back-end service is http also no problem.
First, what we need certificate
Prior wrote " Tomcat HTTPS configuration (free certificate) " Jane books ( want to see can go to my home page look inside, there are still a lot of knowledge - associated between the two ), which has put been used to classify the certificate, which is a certificate in PEM format using nginx, we split it open is the need for the two files, one file .key, is a .crt file.
Second, how to get a free certificate
The first: If you are a windows user, and there is .keystore format of certificate
Then you can use JKS2PFX conversion tool to convert your keystore certificate to PEM certificate, methods of operation are: cd to the tools directory, then run the command:
$ JKS2PFX <KeyStore file> <KeyStore password> <Alias alias> <export file name>
The second: If you are a Linux or OSX systems
- Private keys are generated key, run:
$ openssl genrsa -des3 -out server.key 2048
Have twice asked for a password, enter the same can be
Enter the password
and then you get a server.key file
after using this file (openssl command provided by or API) may return often requires a password, enter a password. To remove the can use the following command:
$ openssl rsa -in server.key -out server.key
- Creating a server certificate application documents server.csr, run:
$ openssl req -new -key server.key -out server.csr
Country Name which fill CN, Common Name fill in the host name can not fill, if not fill the browser deemed unsafe (for example, for the rest of your url. HTTPS: // ABCD / xxxx .... here you can fill abcd) , the other can not fill.
- Create a CA certificate:
$ openssl req -new -x509 -key server.key -out ca.crt -days 3650
At this point, you can get a certificate of ca.crt, this certificate used to own certificate signature.
- Created from the current ten-year period from the date of the server certificate server.crt:
$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
- ls your folder, you can see the total generated five documents:
ca.crt ca.srl server.crt server.csr server.key
which, server.crt and server.key is your nginx need certificate file.
Third, how to configure nginx
- Open your nginx configuration files, search found 443 https configuration, uncomment this code or directly copy this I the following configuration:
server {
listen 443;
server_name localhost;
ssl on;
ssl_certificate /root/Lee/keys/server.crt;# configure certificates location
ssl_certificate_key /root/Lee/keys/server.key;# keys arranged position
#ssl_client_certificate ca.crt; # mutual authentication
#ssl_verify_client on; # mutual authentication
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
- The ssl_certificate changed server.crt path, the path to server.key of ssl_certificate_key changed.
- nginx -s reload reload configuration
At this point, nginx is ready to use https, the default 443 port.