linux运维、架构之路-Nginx配置https证书

一、证书制作

1、生成秘钥key

[root@docker ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
............................................................+++
.................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

执行过程中会要求输入密码，两次输入同一个即可。此命令生成server.key文件

以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令

openssl rsa -in server.key -out server.key

2、创建服务器证书的申请文件server.csr

openssl req -new -key server.key -out server.csr

[root@docker ssl]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:     
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.56.100
Email Address []:

3、创建CA证书

openssl req -new -x509 -key server.key -out ca.crt -days 3650

[root@docker ssl]# openssl req -new -x509 -key server.key -out ca.crt -days 3650
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:192.168.56.100Email Address []:

此时,可以得到一个ca.crt的证书,这个证书用来给自己的证书签名

4、创建自当前日期起有效期为期十年的服务器证书server.crt

[root@docker ssl]# openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=192.168.56.100
Getting CA Private Key

5、查看生成的文件,可以看到一共生成了5个文件

[root@docker ssl]# ll
总用量 20
-rw-r--r-- 1 root root 1285 5月   9 14:45 ca.crt
-rw-r--r-- 1 root root   17 5月   9 14:45 ca.srl
-rw-r--r-- 1 root root 1168 5月   9 14:45 server.crt
-rw-r--r-- 1 root root 1017 5月   9 14:44 server.csr
-rw-r--r-- 1 root root 1675 5月   9 14:41 server.key

server.crt和server.key就是你的nginx需要的证书文件

二、Nginx配置

1、打开的nginx配置文件,搜索443找到https的配置

    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /app/nginx/ssl/server.crt;
        ssl_certificate_key  /app/nginx/ssl/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

2、修改证书路径

ssl_certificate改为server.crt的路径,将ssl_certificate_key改为server.key的路径

3、平滑重启Nignx服务

nginx -s reload

nginx的https就可以使用了,默认443端口，使用浏览器访问测试