Nginx needs to be built before doing to ensure open ports
First, check whether the installation openssl
[root@localhost ~]# rpm -qa openssl openssl-1.0.2k-16.el7_6.1.x86_64
Second, create a root CA certificate
1, generate the CA private key
[root@localhost openssl]# openssl genrsa -out local.key 2048 Generating RSA private key, 2048 bit long modulus .............................+++ ..............................................................................+++ e is 65537 (0x10001)
[root@localhost openssl]# ls local.key
2, the CA certificate generation request
[root@localhost openssl]# openssl req -new -key local.key -out local.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:China string is too long, it needs to be less than 2 bytes long Country Name (2 letter code) [XX]:CN //国家 State or Province Name (full name) []:beijing //省 Locality Name (eg, city) [Default City]:beijing //城市 Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []:test //部门 Common Name (eg, your name or your server's hostname) []:test //主机名 Email Address []:[email protected] //邮箱 Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tanxiao //密码 An optional company name []:tanxiao //公司名
[root@localhost openssl]# ls local.csr local.key
3, generated CA root certificate
Generating a CA certificate that is not easy to get to know the command 1. certificate request file key generation 2. certificate request file to generate the final certificate -in generate a certificate using the certificate request file, -signkey designated private key
req: certificate generation request documents to verify the certificate and create a root CA -new: a new generation represents a certificate request -x509: direct output certificate -key: generating a private key file used when the certificate request -out: the output file
[root@localhost openssl]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt Signature ok subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/[email protected] Getting Private key
Third, create a server root certificate in accordance with the CA root certificate
1, the private key generating server
[root@localhost openssl]# openssl genrsa -out my_server.key 2048 Generating RSA private key, 2048 bit long modulus ..+++ ....................................................+++ e is 65537 (0x10001)
2, generates a server certificate request
[root@localhost openssl]# openssl req -new -key my_server.key -out my_server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:beijing Organization Name (eg, company) [Default Company Ltd]: Organizational Unit Name (eg, section) []:test Common Name (eg, your name or your server's hostname) []:test Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:tanxiao An optional company name []:tanxiao
[root@localhost openssl]# ls local.crt local.csr local.key my_server.csr my_server.key
3, generated server certificate
[root@localhost openssl]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt Signature ok subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/[email protected] Getting CA Private Key
Four, arranged to support nginx SSL (ssl module must be installed when configuring nginx)
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server { listen 80; listen 443 default ssl; keepalive_timeout 100; ssl_certificate /root/local.crt; ssl_certificate_key /root/local.key; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; server_name localhost; charset utf-8; }
Five test
https://www.cnblogs.com/tanxiaojuncom/