环境:centos7.6、主机名称:demod.example.com、需要nginx支持ssl模块(参考:https://www.cnblogs.com/wukc/p/13289553.html)
1、创建目录
mkdir /usr/local/nginx/ssl_key cd /usr/local/nginx/ssl_key
2、创建private.key
[root@localhost ssl_key]# openssl genrsa -out private.key 1024 Generating RSA private key, 1024 bit long modulus .........................++++++ ..........++++++ e is 65537 (0x10001) [root@localhost ssl_key]# ls private.key # -out 参数指定密钥文件存放的位置和名字,1024是指密钥文件的长度,一般为1024或者2048
3、创建cert_req.csr文件
[root@localhost ssl_key]# openssl req -new -key private.key -out cert_req.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:sc Locality Name (eg, city) [Default City]:cd Organization Name (eg, company) [Default Company Ltd]:sh Organizational Unit Name (eg, section) []:sh Common Name (eg, your name or your server's hostname) []:demod.example.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []: [root@localhost ssl_key]# ll total 8 -rw-r--r-- 1 root root 635 Jul 14 21:04 cert_req.csr -rw-r--r-- 1 root root 887 Jul 14 20:52 private.key # 指定密钥密钥文件来生成一个ca请求 # 这个步骤会要求填入国家区域以及域名等信息 # 最重要的一行是Common Name,需要填入与服务器关联的域名,或者是您服务器的公共IP地址
4、创建server_cert.crt
[root@localhost ssl_key]# openssl x509 -req -days 365 -in cert_req.csr -signkey private.key -out server_cert.crt Signature ok subject=/C=cn/ST=sc/L=cd/O=sh/OU=sh/CN=demod.example.com Getting Private key #相关参数说明 req:此子命令指定我们要使用X.509证书签名请求(CSR)管理。“X.509”是SSL和TLS为其密钥和证书管理所遵循的公钥基础结构标准。我们想要创建一个新的X.509证书,所以我们使用这个子命令 -x509:通过告诉实用程序我们要创建自签名证书而不是生成证书签名请求(通常会发生)来进一步修改上一个子命令 -nodes:这告诉OpenSSL跳过用密码保护我们的证书的选项。当服务器启动时,我们需要Nginx能够在没有用户干预的情况下读取文件。密码短语会阻止这种情况发生,因为我们必须在每次重启后输入密码 -days 365:此选项设置证书被视为有效的时间长度。我们在这里设置了一年
5、配置nginx.conf
worker_processes 1;
events {
worker_connections 1024;
}
http {
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 65;
server {
listen 443 ssl;
server_name demod.example.com;
ssl_certificate /usr/local/nginx/ssl_key/server_cert.crt;
ssl_certificate_key /usr/local/nginx/ssl_key/private.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
}
6、登录nginx进行验证