linux自建证书搭建https（单项加密）

Posted 2023-04-01 有谁看见我的剑了？

搭建https有两种方式，分为单向认证和双向认证。单向认证就是传输的数据加密过了，但是不会校验客户端的来源，也就只有客户端验证服务端证书。

本次实验是搭建单向认证的https证书

1、 建立服务器私钥，生成RSA秘钥，过程中会输入密码（123456）

1.1、 创建存放ssl证书的路径

  [root@localhost ~]# mkdir -p  /home/ssl/certificate
  [root@localhost ~]# cd /home/ssl/certificate

1.2、 创建私钥

[root@localhost certificate]# openssl genrsa -des3 -out server.key
2048 Generating RSA private key, 2048 bit long modulus
…+++
…+++ e is 65537 (0x10001) Enter pass phrase for
server.key: 123456 Verifying - Enter pass phrase for server.key:
123456

server.key 私钥名称
2048 加密程度
123456 个人理解，这个估计是对这个密码进行加密

2、 生成一个证书请求，需要输入私钥的密码

[root@localhost certificate]# openssl req -new -key server.key -out
server.csr Enter pass phrase for server.key: 123456 // 私钥密码 You are
about to be asked to enter information that will be incorporated into
your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank For some fields there will be a default
value, If you enter ‘.’, the field will be left blank.
----- Country Name (2 letter code) [XX]:cn // 国家，只能输入两个字节 State or Province Name (full name) []:Fujian // 省份 Locality Name (eg, city)
[Default City]:Xiamen // 城市 Organization Name (eg, company)
[Default Company Ltd]:bcx // 公司 Organizational Unit Name (eg,
section) []:bcx // 组织 Common Name (eg, your name or your server’s
hostname) []: bcx // 名字或者主机名 Email Address []:2734542837@qq.com // 邮箱地址
Please enter the following ‘extra’ attributes to be sent with your
certificate request A challenge password []:123456 私钥密码

An optional company name []:bcx // 公司名称

3、 对私钥进行ssl加密

[root@localhost certificate]# cp server.key server.key.org
[root@localhost certificate]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: writing RSA key

4、 生成签名证书

[root@localhost certificate]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok subject=/C=cn/ST=fujian/L=xiamen/O=bcx/OU=bcx/CN=bcx/emailAddress=2734542837@qq.com
Getting Private key Enter pass phrase for server.key:123456 // 私钥密码

-days 365 // 这很明显是证书有效时间
-out server.crt // server.crt 这个是证书名

5、查看一下生成了那些文件

[root@localhost certificate]# ll
-rw-r–r–. 1 root root 1257 3月 31 15:40 server.crt
-rw-r–r–. 1 root root 1090 3月 31 15:30 server.csr
-rw-r–r–. 1 root root 1679 3月 31 16:23 server.key
-rw-r–r–. 1 root root 1751 3月 31 16:21 server.key.org

5、 在nginx中部署证书

server 
    listen       443 ssl;
    server_name  192.168.44.140;
    root         /usr/share/nginx/html; 
    ssl_certificate /home/ssl/certificate/server.crt;
    ssl_certificate_key /home/ssl/certificate/server.key;
    ssl_session_timeout 10m;
    ssl_session_cache shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
    ssl_prefer_server_ciphers on;   
  

6、 访问测试

#到此自建证书就完成了，这是单项加密

参考：linux中自建证书搭建https
谷歌浏览器导入证书