两台服务器
11.11.11.3 (生成证书然后到CA服务上注册)
11.11.11.4 (nginx服务、CA证书签发)
1、建立CA服务器(11.3)
1、在CA上生成私钥文件 在/etc/pki/CA/private [root@ca]# cd /etc/pki/CA/ [root@ca CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) 2、在CA上生成自签署证书 必须在/etc/pki/CA目录下 [root@ca CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 -new 为生成新的证书,会要求用户填写相关的信息 -x509 通常用于自签署证书,生成测试证书或用于CA自签署 -key私钥位置 -days申请的天数(默认30天) -out生成位置 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HeNan Locality Name (eg, city) [Default City]:Zhengzhou Organization Name (eg, company) [Default Company Ltd]:yanqi Organizational Unit Name (eg, section) []:system Common Name (eg, your name or your server's hostname) []:cahost.zzidc.com Email Address []:573143765@qq.com
[root@ca CA]# touch index.txt
[root@ca CA]# echo 01 > serial
2、给http服务器发放证书
[root@nginx ~]# mkdir /etc/nginx/ssl [root@nginx ~]# cd /etc/nginx/ssl/ [root@nginx ssl]# (umask 077; openssl genrsa -out nginx.key 1024) [root@nginx ssl]# openssl req -new -key nginx.key -out nginx.csr #信息跟CA上生成的保持一致 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:HeNan Locality Name (eg, city) [Default City]:Zhengzhou Organization Name (eg, company) [Default Company Ltd]:yanqi Organizational Unit Name (eg, section) []:system Common Name (eg, your name or your server's hostname) []:cahost.zzidc.com Email Address []:573143765@qq.com [root@nginx ssl]# scp nginx.csr 11.11.11.3:/tmp/
3、在CA上给http服务器签署证书
[root@ca ~]# openssl ca -in /tmp/nginx.csr -out /etc/pki/CA/certs/nginx.crt -days 365 Using configuration from /etc/pki/tls/openssl.cnf Check that the request matches the signature Signature ok Certificate Details: Serial Number: 1 (0x1) Validity Not Before: Feb 22 08:17:38 2019 GMT Not After : Feb 22 08:17:38 2020 GMT Subject: countryName = CN stateOrProvinceName = HeNan organizationName = yanqi organizationalUnitName = system commonName = cahost.zzidc.com emailAddress = 573143765@qq.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 81:4E:B6:B5:C2:B8:B8:3F:B4:E7:34:99:59:D3:E8:3A:13:20:82:58 X509v3 Authority Key Identifier: keyid:6B:86:D0:CD:C9:1A:10:7E:3B:44:EC:BE:6B:AB:E4:14:2C:30:2A:01 Certificate is to be certified until Feb 22 08:17:38 2020 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated [root@ca ~]#
4、生成完需要拷贝到http服务器上 也用scp命令
[root@ca ~]# scp /etc/pki/CA/certs/nginx.crt 11.11.11.4:/etc/nginx/ssl
5、nginx配置
[root@nginx ~]# vim /etc/nginx/conf.d/vhost_ssl.conf server { listen 443 ssl; server_name cahost.zzidc.com; root /data/nginx/vhost1; access_log /var/log/nginx/vhost1_ssl_access.log main; ssl on; ssl_certificate /etc/nginx/ssl/nginx.crt; ssl_certificate_key /etc/nginx/ssl/nginx.key; ssl_protocols sslv3 TLSv1 TLSv1.1 TLSv1.2; ssl_session_cache shared:SSL:10m; #共享session内存空间为10M,1M的会话为4千;这个是4万 ssl_session_timeout 10m; } [root@nginx conf.d]# nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful [root@nginx conf.d]# service nginx restart Redirecting to /bin/systemctl restart nginx.service [root@nginx conf.d]# netstat -luntp|grep 443 tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 4256/nginx: mas
