本文共 9038 字,大约阅读时间需要 30 分钟。
Nginx要实现SSL认证需要在编译时启用--with-http_ssl_module模块,并且nginx支持一台服务器上实现多虚拟主机的https
[root@localhost ~]# nginx -Vnginx version: nginx/1.14.2built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)built with OpenSSL 1.0.2k-fips 26 Jan 2017TLS SNI support enabledconfigure arguments: --prefix=/apps/nginx --user=nginx --group=nginx --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_stub_status_module --with-http_gzip_static_module --with-pcre --with-stream --with-stream_ssl_module --with-stream_realip_module
[root@localhost ~]# mkdir /apps/nginx/certs[root@localhost ~]# cd /apps/nginx/certs
[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crtGenerating a 4096 bit RSA private key....................++...........................................................................................................................................................................++writing new private key to 'ca.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BJLocality Name (eg, city) [Default City]:BJOrganization Name (eg, company) [Default Company Ltd]:magedu.comOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:ca.magedu.comEmail Address []:438214186@qq.com
[root@localhost certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.mylinuxops.com.key -out www.mylinuxops.com.csrGenerating a 4096 bit RSA private key.......................................................................................++.............................................................................................................................................................................................++writing new private key to 'www.mylinuxops.com.key'-----You are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:CNState or Province Name (full name) []:BJLocality Name (eg, city) [Default City]:BJOrganization Name (eg, company) [Default Company Ltd]:magedu.comOrganizational Unit Name (eg, section) []:opsCommon Name (eg, your name or your server's hostname) []:www.mylinuxops.comEmail Address []:438214186@qq.comPlease enter the following 'extra' attributesto be sent with your certificate requestA challenge password []:An optional company name []:
[root@localhost certs]# openssl x509 -req -days 3650 -in www.mylinuxops.com.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.mylinuxops.com.crt Signature oksubject=/C=CN/ST=BJ/L=BJ/O=magedu.com/OU=ops/CN=www.mylinuxops.com/emailAddress=438214186@qq.comGetting CA Private Key
[root@localhost certs]# openssl x509 -in www.mylinuxops.com.crt -noout -textCertificate: Data: Version: 1 (0x0) Serial Number: b9:a1:a3:24:b8:03:cc:86 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=BJ, L=BJ, O=magedu.com, OU=ops, CN=ca.magedu.com/emailAddress=438214186@qq.com Validity Not Before: May 29 12:06:50 2019 GMT Not After : May 26 12:06:50 2029 GMT Subject: C=CN, ST=BJ, L=BJ, O=magedu.com, OU=ops, CN=www.mylinuxops.com/emailAddress=438214186@qq.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (4096 bit) Modulus: 00:e9:2c:9b:56:63:b7:64:e0:37:f4:07:8e:0e:e2: 4b:6f:47:c4:e3:25:5d:2d:b6:64:e6:0e:36:fa:de: 81:0a:83:e8:61:f2:8b:e4:a0:2f:21:b4:db:6f:94: e7:5c:b9:d9:6b:ca:3d:d0:6e:f5:a2:6c:a7:2f:38: 2f:60:d1:ca:07:55:90:6b:18:75:e2:51:9c:7b:5c: 79:30:50:e3:01:e0:93:c5:ee:06:79:51:9b:18:c7: ba:ed:4f:30:2d:aa:a8:15:3c:1c:02:23:c7:1e:c5: 68:69:7c:69:9c:08:ef:9c:69:6e:8b:6d:d7:1f:5b: 64:45:6a:37:03:4a:1e:10:fb:36:24:6a:ce:3f:48: 4b:46:5c:39:d6:14:79:5d:c4:c8:8f:d1:9d:e5:68: 23:e3:79:18:44:2a:20:71:5b:02:27:a3:17:20:47: aa:8c:42:b6:00:d9:2e:45:65:a4:e9:2e:cf:d1:a8: 72:7d:3d:4a:d9:f8:78:44:3b:ae:0c:6d:f6:e5:da: 7f:10:45:4a:09:b3:b3:ba:cb:f7:c6:ab:31:cb:8c: 4d:d6:db:13:49:cc:f5:a9:78:3d:7d:67:b9:03:09: f8:6d:b2:87:13:5d:61:d8:c3:a5:fa:97:2d:27:e2: 4a:53:89:4c:c2:11:05:03:6f:5a:ff:ed:35:43:44: 98:0b:a8:0b:ba:71:64:d7:f1:59:0e:4d:e3:ca:77: 7c:66:91:4e:9d:e7:53:82:12:99:31:ba:78:85:d8: 39:03:14:1c:46:70:5c:24:3e:f0:0a:65:30:da:03: eb:70:76:8a:70:b6:9a:9c:cb:e9:b3:4d:b3:3b:bc: e6:cd:7d:5a:5c:61:d1:f5:47:80:be:c5:c3:f1:08: 6e:79:56:06:57:8a:67:e5:e8:af:eb:b0:ba:f5:54: 18:6d:ce:df:28:a5:b0:18:18:9f:91:ad:e7:d1:c4: f3:35:d1:54:7f:a2:48:1b:62:a1:59:50:1b:6f:2e: 3e:9b:38:f9:99:85:b3:91:b0:87:ce:88:13:2a:fc: d9:1d:6c:9d:38:f0:97:53:c0:9d:46:a1:e7:a8:08: 2f:d4:90:8b:3a:9b:a4:22:4a:31:23:0d:13:b9:97: 29:37:df:47:e9:06:95:e5:25:13:90:aa:a1:c6:11: 64:fd:49:84:0a:81:15:8d:fb:ef:29:28:b2:6b:b0: 82:a4:d1:8c:f4:cd:7a:88:3b:14:77:b2:55:f0:e3: 4f:a6:3a:11:4b:3b:26:9e:a2:e6:b9:a1:dc:07:c6: da:01:d3:63:88:1b:05:c7:88:b7:5b:13:1b:83:31: 7c:0e:e7:09:11:f3:a5:b5:26:20:2c:34:f6:21:ac: af:ab:97 Exponent: 65537 (0x10001) Signature Algorithm: sha256WithRSAEncryption a2:42:b5:26:40:63:2c:6f:c8:58:0f:ae:59:05:31:96:10:c5: 9e:26:78:74:d5:21:75:82:8d:3b:ad:71:ab:94:78:ce:d3:45: 0d:ad:e1:9d:1f:b7:e6:de:f0:2b:e6:2d:7e:fe:3b:0c:f2:5a: 85:7c:3b:f4:01:2c:e8:cd:71:b4:e0:e1:8a:cf:e5:90:c3:93: 6d:2d:22:fb:f8:79:24:a6:f8:ed:ed:1c:97:db:52:31:69:74: 3c:c1:00:45:1e:74:f0:93:3d:f6:15:82:39:3b:4c:6c:bb:72: 4b:66:fd:6d:10:56:a1:86:a0:11:02:2a:c4:de:80:fd:93:d6: 5f:c2:18:b7:1a:f3:89:4e:dc:18:b8:fc:70:eb:94:51:91:fc: f7:7a:1b:cf:36:fa:52:c9:1a:95:e6:ec:bb:1a:ef:7d:dc:67: 62:dc:95:13:76:7e:a3:17:3f:c6:cb:82:a6:bb:89:69:98:1c: 3e:78:e8:94:50:71:7f:be:66:94:7d:de:bb:02:1a:57:ad:f2: 56:bc:61:a1:7d:c0:1c:f7:df:1b:75:7f:d0:0c:19:46:a8:d6: 37:e4:b6:a7:0e:12:2a:04:a6:ad:ee:ec:ae:7f:49:bf:bb:a7: d7:3c:71:eb:e6:d0:97:f8:4b:22:29:34:11:3c:86:e9:e7:51: 35:92:0b:4a:3b:d6:39:db:54:50:bf:d2:f2:ed:da:ca:e8:e7: 55:b9:36:c9:29:13:83:51:2c:de:5d:df:da:53:58:47:64:5b: 92:1c:44:ec:61:7d:d5:b4:77:04:16:3e:24:5b:48:60:df:63: a3:36:57:a0:e1:f1:39:e4:bc:f5:81:53:7e:50:a3:b8:85:32: d8:58:60:4e:bb:ee:24:ee:d9:74:62:c3:e0:c8:80:5a:58:af: 09:6d:73:b4:05:f2:0d:2c:04:47:a0:0b:3e:75:2e:13:a5:e1: f2:1f:06:ad:88:36:70:03:5b:c4:38:94:22:da:0e:56:c2:f5: 6d:31:4c:ef:9e:05:2e:85:87:fa:2b:21:76:fc:c4:f9:13:d4: 1c:c4:1a:31:95:b9:5d:ee:38:31:de:3d:35:00:76:9d:d8:45: e1:97:c0:10:07:5e:1c:5c:ad:85:51:37:8e:11:93:6d:69:cd: b4:70:8b:45:1d:c3:57:61:d0:8b:ea:f8:2c:91:9c:22:71:00: 70:02:e3:4b:3e:19:1f:67:1d:9c:9f:e2:ae:64:1b:53:6c:be: 5e:15:5e:de:15:36:e2:55:37:07:8f:c9:62:06:ce:d9:5a:99: 99:cb:bc:a4:fc:88:7e:cf:45:91:f1:1f:20:e4:eb:a7:0f:b9: 8f:0e:5a:25:71:5f:d1:1a
server { server_name www.mylinuxops.com; listen 443; ssl on; ssl_certificate /apps/nginx/certs/www.mylinuxops.com.crt; #添加证书文件 ssl_certificate_key /apps/nginx/certs/www.mylinuxops.com.key; #添加私钥文件 ssl_session_timeout 10m; #设置ssl会话的超时时间 ssl_session_cache shared:SSL:20m; #设置ssl会话的缓存大小,shared为共享缓存,可以给多个worker进程使用,需要设置缓存名字,还需要设置大小,官方1M可以存储4000个会话 location / { root /data/www; index index.html; }} [root@localhost nginx]# nginx -tnginx: the configuration file /apps/nginx/conf/nginx.conf syntax is oknginx: configuration file /apps/nginx/conf/nginx.conf test is successful[root@localhost nginx]# nginx -s reload
[root@localhost nginx]# curl --cacert /apps/nginx/certs/ca.crt https://www.mylinuxops.commylinux.com
转载于:https://blog.51cto.com/11886307/2403938