单域名实现HTTPS:
#创建自签名证书
[root@centos8-1 ~]$cd /apps/nginx/
[root@centos8-1 nginx]$mkdir certs
[root@centos8-1 nginx]$cd certs/
[root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt
[root@centos8-1 certs]$ll
total 8
-rw-r--r-- 1 root root 2033 Sep 28 11:33 ca.crt
-rw------- 1 root root 3272 Sep 28 11:31 ca.key
#自制Key和csr文件
[root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.tianze.org.key -out www.tianze.org.csr
[root@centos8-1 certs]$ll
total 16
-rw-r--r-- 1 root root 2033 Sep 28 11:33 ca.crt
-rw------- 1 root root 3272 Sep 28 11:31 ca.key
-rw-r--r-- 1 root root 1700 Sep 28 11:37 www.tianze.org.csr
-rw------- 1 root root 3272 Sep 28 11:36 www.tianze.org.key
#签发证书
[root@centos8-1 certs]$openssl x509 -req -days 3650 -in www.tianze.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.tianze.org.crt
#验证证书内容
[root@centos8-1 certs]$openssl x509 -in www.tianze.org.crt -noout -text
Certificate:
Data:
Version: 1 (0x0)
Serial Number:
07:e9:d0:2e:92:e1:30:e1:79:3c:27:2a:47:bd:91:2e:85:f7:44:93
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = beijing, L = beijing, O = tianze, OU = it, CN = ca.tianze.org
Validity
Not Before: Sep 28 03:38:39 2020 GMT
Not After : Sep 26 03:38:39 2030 GMT
Subject: C = CN, ST = Beijing, L = beijing, O = tianze, OU = it, CN = www.tianze.org
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
[root@centos8-1 conf.d]$vim pc.conf
server {
listen 80;
listen 443 ssl; ##表示开启ssl
ssl_certificate /apps/nginx/certs/www.tianze.org.crt; ##指向包含当前虚拟主机和CA的两个证书信息的文件,一般是Crt文件
ssl_certificate_key /apps/nginx/certs/www.tianze.org.key; ##当前虚拟主机使用的私钥文件,一般是key文件
ssl_session_cache shared:sslcache:20m; ##配置ssl缓存,在各个worker之间使用一个共享的缓存
ssl_session_timeout 10m; ##缓存超时时长,默认5m
root /data/nginx/html/pc;
server_name www.tianze.org;
location / {
root /data/nginx/html/pc;
}
}
[root@centos8-1 conf.d]$nginx -s reload #重新加载nginx测试页面
多域名实现HTTPS:
Nginx支持基于单个IP实现多域名的功能,并且还支持单IP多域名的基础上实现HTTPS,其实是基于Nginx的SNI(Server Name Indication)功能实现,SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能,其具体功能是客户端在连接到服务器建立SSL连接之前发送访问站点的域名,这样服务器跟根据这个域名返回给客户端一个合适的证书。
[root@centos8-1 conf.d]$nginx -V
nginx version: zhanginx/1.1999
built by gcc 8.3.1 20191121 (Red Hat 8.3.1-5) (GCC)
built with OpenSSL 1.1.1c FIPS 28 May 2019
TLS SNI support enabled
configure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module --add-module=/usr/local/src/echo-nginx-module
[root@centos8-1 certs]$openssl req -newkey rsa:4096 -nodes -sha256 -keyout m.tianze.org.key -out m.tianze.org.csr
Generating a RSA private key
............................................................++++
.......................................................................................................................................................................................................................................................................................................................................................................................++++
writing new private key to 'm.tianze.org.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Beijing
Locality Name (eg, city) [Default City]:Beijing
Organization Name (eg, company) [Default Company Ltd]:tianze
Organizational Unit Name (eg, section) []:it
Common Name (eg, your name or your server's hostname) []:ca.tianze.org
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@centos8-1 certs]$openssl x509 -req -days 3650 -in m.tianze.org.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out m.tianze.org.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = tianze, OU = it, CN = ca.tianze.org
Getting CA Private Key
[root@centos8-1 certs]$openssl x509 -in m.tianze.org.crt -noout -text
[root@centos8-1 conf.d]$vim mobile.conf
server {
listen 80;
server_name m.tianze.org;
listen 443 ssl;
ssl_certificate /apps/nginx/certs/m.tianze.org.crt;
ssl_certificate_key /apps/nginx/certs/m.tianze.org.key;
ssl_session_cache shared:sslcache:20m;
ssl_session_timeout 10m;
location / {
root /data/nginx/html/mobile;
}
}
[root@centos8-1 conf.d]$nginx -s reload