Based on nginx combined with openssl achieve https

Others 2019-09-19 18:45:04 views: null

Nginx needs to be built before doing to ensure open ports

First, check whether the installation openssl

[root@localhost ~]# rpm -qa openssl
openssl-1.0.2k-16.el7_6.1.x86_64

Second, create a root CA certificate

1, generate the CA private key

Copy the code 
[root@localhost openssl]# openssl genrsa -out local.key 2048
Generating RSA private key, 2048 bit long modulus
.............................+++
..............................................................................+++
e is 65537 (0x10001)

[root@localhost openssl]# ls
local.key
Copy the code

2, the CA certificate generation request

Copy the code 
[root@localhost openssl]# openssl req -new -key local.key -out local.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:China
string is too long, it needs to be less than  2 bytes long
Country Name (2 letter code) [XX]:CN   //国家
State or Province Name (full name) []:beijing   //省
Locality Name (eg, city) [Default City]:beijing  //城市
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test   //部门
Common Name (eg, your name or your server's hostname) []:test   //主机名
Email Address []:[email protected]   //邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tanxiao    //密码
An optional company name []:tanxiao   //公司名

[root@localhost openssl]# ls
local.csr  local.key
Copy the code

3, generated CA root certificate

Generating a CA certificate that is not easy to get to know the command 
1. certificate request file key generation 
2. certificate request file to generate the final certificate 
 -in generate a certificate using the certificate request file, -signkey designated private key
req: certificate generation request documents to verify the certificate and create a root CA 
-new: a new generation represents a certificate request 
-x509: direct output certificate 
-key: generating a private key file used when the certificate request 
-out: the output file
Copy the code 
[root@localhost openssl]# openssl x509 -req -in local.csr -extensions v3_ca -signkey local.key -out local.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/[email protected]
Getting Private key
Copy the code

Third, create a server root certificate in accordance with the CA root certificate

1, the private key generating server

[root@localhost openssl]# openssl genrsa -out my_server.key 2048 
Generating RSA private key, 2048 bit long modulus
..+++
....................................................+++
e is 65537 (0x10001)

2, generates a server certificate request

Copy the code 
[root@localhost openssl]# openssl req -new -key my_server.key -out my_server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:beijing
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:test
Common Name (eg, your name or your server's hostname) []:test
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:tanxiao
An optional company name []:tanxiao

[root@localhost openssl]# ls
local.crt  local.csr  local.key  my_server.csr  my_server.key
Copy the code

3, generated server certificate

Copy the code 
[root@localhost openssl]# openssl x509 -days 365 -req -in my_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt
Signature ok
subject=/C=CN/ST=beijing/L=beijing/O=Default Company Ltd/OU=test/CN=test/[email protected]
Getting CA Private Key
Copy the code

Four, arranged to support nginx SSL (ssl module must be installed when configuring nginx)

Copy the code 
[root@localhost ~]# vim /usr/local/nginx/conf/nginx.conf
server {
        listen       80;

        listen       443 default  ssl;
                keepalive_timeout 100;

                   ssl_certificate      /root/local.crt;
                   ssl_certificate_key  /root/local.key;

                        ssl_session_cache    shared:SSL:10m;
                        ssl_session_timeout  10m;

                   ssl_ciphers  HIGH:!aNULL:!MD5;
                   ssl_prefer_server_ciphers  on;


        server_name  localhost;

        charset utf-8;
}
Copy the code

Five test

 

 

 

 

https://www.cnblogs.com/tanxiaojuncom/

Guess you like

Origin www.cnblogs.com/laohantui/p/11548500.html
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com