linux中自建證書搭建https
阿新 • • 發佈:2018-12-22
前言
搭建https有兩種方式,分為單向認證和雙向認證。單向認證就是傳輸的資料加密過了,但是不會校驗客戶端的來源,也就只有客戶端驗證服務端證書。搭建https
1.生成單向認證的https證書
建立伺服器私鑰,生成RSA祕鑰。過程中會要求輸入密碼,記住你輸入的密碼。(如:123456)
[[email protected] certificate]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................+++
....................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
[ [email protected] certificate]# ls
server.key
生成一個證書請求,涉及到密碼就輸入之前輸入過的密碼即可。
[[email protected] certificate]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ZHEJIANG
Locality Name (eg, city) [Default City]:HANGZHOU
Organization Name (eg, company) [Default Company Ltd]:BEYONDSOFT
Organizational Unit Name (eg, section) []:ODC
Common Name (eg, your name or your server's hostname) []:ODC
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[ [email protected] certificate]# ls
server.csr server.key
輸入完這些內容,會生成一個server.csr檔案
[[email protected] certificate]# cp server.key server.key.org
[[email protected] certificate]# ls
server.csr server.key server.key.org
對於上面的祕鑰進行ssl加密
[[email protected] certificate]# openssl rsa -in server.key.org -out server.key Enter pass phrase for server.key.org: writing RSA key
使用上面的祕鑰和CSR對正式進行簽名
[[email protected] certificate]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=ZHEJIANG/L=HANGZHOU/O=BEYONDSOFT/OU=ODC/CN=ODC
Getting Private key
[[email protected] certificate]# ls
server.crt server.csr server.key server.key.org
這樣證書就建好了。。然後在nginx中修改server就可以實現https了
server {
listen 443;
server_name www.beyondsofthz.com;
ssl on;
ssl_certificate /home/default/certificate/ca.cer;
ssl_certificate_key /home/default/certificate/server.keystore;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}