Nginx 配置生成自簽證書
阿新 • • 發佈:2018-05-17
serve 公鑰加密 verify 十年 des can art rpe cat
1.創建服務器證書密鑰文件 server.key
[root@3-107 ~]# openssl genrsa -des3 -out server.key 2048 Generating RSA private key, 2048 bit long modulus ........+++ .................................................................................................................+++ e is 65537 (0x010001) Enter pass phrase for server.key: xxx Verifying - Enter pass phrase for server.key:xxx
2.創建服務器證書的申請文件 server.csr
[root@3-107 ~]# openssl req -new -key server.key -out server.csr Enter pass phrase for server.key:xxx --輸入上一步的密碼 You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter ‘.‘, the field will be left blank. ----- Country Name (2 letter code) [AU]:CN ← 國家代號,中國輸入CN State or Province Name (full name) [Some-State]:TianJin ← 省的全名,拼音 Locality Name (eg, city) []:TianJin ← 市的全名,拼 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Okay Airways ← 公司英文名 Organizational Unit Name (eg, section) []:e-Enabling ← 部門名稱,可以不輸入 Common Name (e.g. server FQDN or YOUR name) []:lsapl.okair.net ← 公司域名 Email Address []:[email protected] ← 公司郵箱名 Please enter the following ‘extra‘ attributes to be sent with your certificate request A challenge password []: ← 可以不輸入 An optional company name []: ← 可以不輸入
3.備份一份服務器密鑰文件
#cp server.key server.key.bak
4.去除文件口令
#openssl rsa -in server.key.bak -out server.key
5.生成證書文件server.crt(公鑰)
#openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt --3650表示十年有效期
6.將公鑰/私鑰文件放到nginx目錄下
#mkdir -p /etc/nginx/ssl #cp server.crt /etc/nginx/ssl/ --復制公鑰 #cp server.key /etc/nginx/ssl/ --復制私鑰
——————————————————————————————————————————————————————————————————————————
https 原理部分:
密鑰分為公鑰和私鑰
對稱加密的意思就是,加密數據用的密鑰,跟解密數據用的密鑰是一樣的。
非對稱加密的意思就是,加密數據用的密鑰(公鑰),跟解密數據用的密鑰(私鑰)是不一樣的。
https請求過程:
1.服務器發送公鑰給客戶端
2.客戶生成一個隨機數作為對稱加密密鑰,然後用服務器公鑰加密。返給服務器
3.服務器收到數據,用私鑰解密,得到隨機數
4.服務器和客戶端直接用這個隨機數作為密鑰,加密解密以後的數據
說白了,非對稱加密只用作傳遞這個對稱加密的密鑰
Reference:
https://blog.csdn.net/kobejayandy/article/details/52433660
https://blog.csdn.net/Small_dong_/article/details/52534738
Nginx 配置生成自簽證書