Linux学习-Nginx学习实现https

Posted 2022-05-03 丢爸

本实例基于在服务器自已颁发证书，自己生成私钥，自己实现证书的签发

1. 建立CA

[root@nginx01 ~]# cd /etc/pki/CA
[root@nginx01 CA]# ls
certs  crl  newcerts  private
[root@nginx01 CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus
....................................+++
.......................+++
e is 65537 (0x10001)
[root@nginx01 CA]# ls -l private/
total 4
-rw------- 1 root root 1675 Apr 29 19:48 cakey.pem

2. 创建自签证书

[root@nginx01 CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:tye
Organizational Unit Name (eg, section) []:ops
Common Name (eg, your name or your server's hostname) []:ca.tye.com
Email Address []:tye@tye.com
[root@nginx01 CA]# ls
cacert.pem  certs  crl  newcerts  private
[root@nginx01 CA]# touch serial index.txt
[root@nginx01 CA]# echo 01 > serial 

3. 创建密钥文件

[root@nginx01 CA]# cd /etc/nginx/
[root@nginx01 nginx]# mkdir ssl
[root@nginx01 nginx]# cd ssl
[root@nginx01 ssl]# (umask 077;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
.................................++++++
.......................................++++++
e is 65537 (0x10001)
[root@nginx01 ssl]# ll
total 4
-rw------- 1 root root 887 Apr 29 19:52 nginx.key

4. 生成证书签发请求

[root@nginx01 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:tye
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.tye.com
Email Address []:tye@tye.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

5. 签发证书

[root@nginx01 ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Apr 29 23:55:19 2022 GMT
            Not After : May  1 23:55:19 2032 GMT
        Subject:
            countryName               = CN
            stateOrProvinceName       = HN
            organizationName          = tye
            organizationalUnitName    = Ops
            commonName                = www.tye.com
            emailAddress              = tye@tye.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                65:DA:B3:80:2F:63:D6:7C:A2:90:3E:13:89:9A:43:74:AF:13:85:E2
            X509v3 Authority Key Identifier: 
                keyid:C1:A0:57:48:4B:B5:23:34:B7:9F:E4:D3:B2:12:CD:B0:ED:D1:1F:EE

Certificate is to be certified until May  1 23:55:19 2032 GMT (3655 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
[root@nginx01 ssl]# ll
total 12
-rw-r--r-- 1 root root 3770 Apr 29 19:55 nginx.crt
-rw-r--r-- 1 root root  668 Apr 29 19:54 nginx.csr
-rw------- 1 root root  887 Apr 29 19:52 nginx.key
 server 
        listen       443 ssl;
        server_name  www.tye.com;

        ssl_certificate      /etc/nginx/ssl/nginx.crt;
        ssl_certificate_key  /etc/nginx/ssl/nginx.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / 
            root   html;
            index  index.html index.htm;
        
    

6. 通过浏览器访问