Foreword
When to https proxy in nginx is the need to configure a certificate, the certificate acquired by CA agency for a fee, for research testing, then you can make the certificate by openssl yourself, use openssl production certificates as follows:
(1) generate a CA root certificate
(2 ) generates a server certificate request
(3) generates a server certificate request to the CA root certificate and the server certificate
the server generating the certificate, can be configured nginx
openssl Introduction
openssl on linux is used to generate a key, public key, certificate, and a tool signed certificate.
Root CA certificate generation
Configuring openssl
Before using openssl, openssl first need to configure the settings storage location storage directory good certificate, sequence ID, etc., basically the default settings have been done, only need to change the value of dir like
vim /etc/ssl/openssl.cnf
Then for the file structure shown above in the created file directories and files corresponding
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/{serial,index.txt}
Use the command to view the directory structure tree as follows:
woder@woder-pc:/etc$ tree /etc/pki
/etc/pki
├── CA
│ ├── certs (已颁发的证书保存目录)
│ ├── crl (证书撤销列表存放目录)
│ ├── index.txt (数据库索引文件,记录着一些已签署的证书信息)
│ ├── newcerts (新签署证书的保存目录)
│ ├── private (存放CA私钥的目录)
│ └── serial (当前证书序列号)
Specify the certificate number
Root certificate is used to generate the server certificate, the certificate is a relationship between the presence of a chain, when the trusted root certificate, the certificate derived therefrom will be trusted.
The beginning of each number has a corresponding certificate from a root certificate, are numbered for maintenance by serial value, the first certificate specified
echo 01 >> serial
CA private key generation
After using the generated file umask 077 make the default permissions to 077, to generate 4096 of rsa keys using the openssl tool, the secret key stored in the /etc/pki/CA/private/cakey.pem
umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096
Generated CA certificate
Just generated using the private key to generate a CA certificate
req: This is a big order, certificate generation request file, verify the certificate, and create a root CA
-new: a new generation represents a certificate request
-x509: direct output certificate
-key: generate a certificate private key file used when the request
-out: the output file
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
The middle will be asked to enter the address, email, company name, etc., because it is self-issued, just enter it.
This command will generate a CA certificate confusing, because in fact generate a certificate normally takes three steps
1. Generate a secret key xxx.pem
2. xxx.pem request by the secret key to generate a certificate file xxx.csr
3. By the certificate request file xxx.csr xxx.crt generate the final certificate
, but the order of 2 and 3 together hybridity
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
In fact, equivalent to
//生成证书请求文件
openssl req -new -out /etc/pki/CA/req.csr -key /etc/pki/CA/private/cakey.pem
// -in 使用证书请求文件生成证书,-signkey 指定私钥,这是一个还没搞懂的参数
openssl x509 -req - in /etc/pki/CA/req.csr -out /etc/pki/CA/cacert.pem -signkey /etc/pki/CA/private/cakey.pem -days 3650
4. Generate server certificate
Generation server private key
First, I created and entered the ~ / https directory, and then generates a secret key of the server
openssl genrsa -out https.pem 4096
Generating the server certificate request
openssl req -new -key https.pem -out https.csr -days 365 -subj "/C=CN/ST=asdf/L=asdf/O=asdf/CN=domainName.com/[email protected]"
As used herein -subj can complete pre-populated certificate requester information, but be aware that the information filled in the C and L and O ST and the root certificate must be signed by the same root certificate if you forget the chaos filled what can query command by
openssl x509 -in 根证书的路径+名字 -noout -subject
Generating the server certificate
After executing the following command will be able to get the certificate file https.cert, this certificate is sent to the client for
openssl ca -in https.csr -out https.crt -days 365
nginx configuration
Due to the use of default https port 443, the port where the configuration 443
Download and install nginx configuration
wget http://nginx.org/download/nginx-1.11.3.tar.gz
tar -zfxv nginx-1.11.3.tar,gzpeizhi
cd nginx-1.11.3
./configure --prefix=/usr/local/nginx --with-http_stub_status_module --with-http_ssl_module
make install
Into the configuration file nginx.conf, mainly modify ssl_certificate and ssl_certificat_key, the two were put on the certificate and private key just fine
Using a configuration file to start the nginx
sudo /usr/sbin/nginx -c /home/woder/download/nginx-1.13.6/conf/nginx.conf
Finally, use https access localhost in your browser, you are prompted to insecurity, because there is no trusted root certificate, but explained that it had received a root certificate, click Continue, you can see the nginx welcome page; can also be a root certificate by chrome installation trust
other
In addition to the server certificate and root CA certificate, there is a type called a client certificate, this role is used to verify the identity of the client, in rare cases will be used, such as online banking customers in a machine restrictions on landing, the role of banks to provide long before u shield is to provide a client certificate exists. In short, the role of the certificate is used to verify identity.
reference
使用 openssl 生成证书(含openssl详解):https://blog.csdn.net/gengxiaoming7/article/details/78505107
理解服务器证书CA&& SSL: https://blog.csdn.net/weixin_41830501/article/details/81128968
使用openssl生成证书(详细): https://blog.csdn.net/gengxiaoming7/article/details/78505107
证书的签发和通信过程: https://www.cnblogs.com/handsomeBoys/p/6556336.html
自签名根证书和客户端证书的制作: https://blog.csdn.net/ilytl/article/details/52450334
openssl指令说明: https://www.cnblogs.com/gordon0918/p/5409286.html