首页 > 代码库 > nginx搭建https单向证书

nginx搭建https单向证书

2024-07-16 00:04:54   224人阅读

一)默认情况下ssl模块并未被安装,如果使用该模块则需要在编译nginx的时指定--with-http_ssl_module参数。


wget http://nginx.org/download/nginx-1.3.16.tar.gz

tar -xf nginx-1.3.16.tar.gz -C /usr/local/

cd /usr/local/nginx-1.3.16/

./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre 

make

make install

http://192.168.254.103/      测试





cd /usr/loca/nginx/conf  进入到想创建证书和私钥的目录

[root@nginx conf]# openssl genrsa -des3 -out server.key 1024   创建服务器私钥,输入一个口令

Enter pass phrase for server.key:123456

Verifying - Enter pass phrase for server.key:123456


[root@nginx conf]# openssl req -new -key server.key -out server.csr 创建签名请求的证书(CSR)

Enter pass phrase for server.key:

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter ‘.‘, the field will be left blank.

-----

Country Name (2 letter code) [XX]:CN

State or Province Name (full name) []:BeiJing

Locality Name (eg, city) [Default City]:ChangPing

Organization Name (eg, company) [Default Company Ltd]:Leay

Organizational Unit Name (eg, section) []:Linux

Common Name (eg, your name or your server‘s hostname) []:ca.Leay.com

Email Address []:caadmin@Leay.com


Please enter the following ‘extra‘ attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:Leay


在加载ssl支持的nginx并使用上述私钥时除去必须的口令:

[root@nginx conf]#  cp server.key server.key.org

[root@nginx conf]# openssl rsa -in server.key.org -out server.key

Enter pass phrase for server.key.org:123456

writing RSA key


最后标记证书使用上述私钥的CSR:

[root@nginx conf]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok

subject=/C=CN/ST=BeiJing/L=ChangPing/O=Leay/OU=Linux/CN=ca.Leay.com/emailAddress=caadmin@Leay.com

Getting Private key





修改nginx的配置文件,让其包含新标记的证书和私钥

server {

        listen       80;

        server_name  www.bill.com;


        #charset koi8-r;


        #access_log  logs/host.access.log  main;


        location / {

            root   html;

            index  index.html index.htm;

        }




    # HTTPS server

    #

    server {

        listen       443;

        server_name  www.bill.com;


        ssl                  on;

        ssl_certificate      /usr/local/nginx/conf/server.crt;

        ssl_certificate_key  /usr/local/nginx/conf/server.key;


    #    ssl_session_timeout  5m;


    #    ssl_protocols  SSLv2 SSLv3 TLSv1;

    #    ssl_ciphers  HIGH:!aNULL:!MD5;

    #    ssl_prefer_server_ciphers   on;


        location / {

            root   html;

            index  index.html index.htm;

        }

    }




重启nginx

[root@nginx conf]# /usr/local/nginx/sbin/nginx -s reload


物理机访问的时候需要在本地的hosts文件中添加域名的解析

http://www.bill.com 访问的是80端口

通过https://www.bill.com访问的是443端口


本文出自 “落叶飘远方” 博客,请务必保留此出处http://shunzi.blog.51cto.com/8289655/1536055


联系
我们