码迷,mamicode.com
首页 > 其他好文 > 详细

建立私有CA及Nginx绑定SSL加密

时间:2018-04-10 21:51:19      阅读:202      评论:0      收藏:0      [点我收藏+]

标签:Nginx

生成CA私钥

[root@client03 ~]#cd /etc/pki/CA/ ---------------进入CA目录
[root@client03 CA]#(umask 077; openssl genrsa -out private/ca.key 2048)----------生成私钥,可以生成2048或者1024位

Generating RSA private key, 2048 bit long modulus
..............................................................+++
..........................+++
e is 65537 (0x10001)

生成 CA 的证书

[root@client03 CA]#openssl req -new -x509 -key private/ca.key -out cacert.crt -days 3650

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]: CN     ##国家的名字
State or Province Name (full name) []:BJ      ##你所在的省份
Locality Name (eg, city) [Default City]: BJ    ##你所在的城市
Organization Name (eg, company) [Default Company Ltd]: maiya   ##你的组织机构名(公司名)
Organizational Unit Name (eg, section) []: jiaoxue
Common Name (eg, your name or your server‘s hostname) []: ca.maiya.com    ##域名
Email Address []:

生成Nginx 的私钥、申请文件、CA颁发证书

生成Nginx私钥:

[root@client03 ~]#cd /etc/nginx/
[root@client03 nginx]#mkdir ssl
[root@client03 nginx]#cd ssl/
[root@client03 ssl]# (umask 077; openssl genrsa -out nginx.key 2048)

Generating RSA private key, 2048 bit long modulus
............+++
.................................................+++
e is 65537 (0x10001)

[root@client03 ssl]# ls ---------------------生成nginx私钥
nginx.key

生成申请文件

[root@client03 ssl]# openssl req -new -key nginx.key -out nginx.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
##If you enter ‘.‘, the field will be left blank.
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:maiya
Organizational Unit Name (eg, section) []:jiaoxue
Common Name (eg, your name or your server‘s hostname) []:web.maiya.com
Email Address []:
Please enter the following ‘extra‘ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

[root@client03 ssl]# ls
nginx.csr nginx.key

向CA提交申请文件

[root@client03 ssl]# cp nginx.csr /etc/pki/CA/

CA颁发证书

[root@client03 ssl]# cd /etc/pki/CA/
[root@client03 CA]# openssl ca -in nginx.csr -out nginx.crt -days 365

将证书绑定在Nginx上

在nginx的配置文件添加如下内容:

server {
listen 443 ssl http2 default_server;
server_name web.maiya.com;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/ssl/nginx.crt";
ssl_certificate_key "/etc/nginx/ssl/nginx.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}

建立私有CA及Nginx绑定SSL加密

标签:Nginx

原文地址:http://blog.51cto.com/13581826/2096682

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!