一、之前对外暴露接口地址为http://172.28.5.4客户要求升级为https,由于是IP地址访问,所以生成自签名证书并设置nginx 二、home目录下新建new_cert目录用于存放证书以及相关文件[root@localhost home]# new_cert
三、使用openssl分别生成服务端和客户端的公钥及私钥1、生成服务端私钥[root@localhost home]# cd new_cert/
[root@localhost new_cert]# openssl genrsa -out server.key Generating RSA private key, bit modulus
..............................++++++
...........................++++++
e is ()
[root@localhost new_cert]#
2、生成服务端公钥[root@localhost new_cert]# openssl rsa - server.key -pubout -out server.pem
writing RSA key
[root@localhost new_cert]#
3、生成客户端私钥[root@localhost new_cert]# openssl genrsa -out client.key Generating RSA private key, bit modulus
...............................................++++++
...................++++++
e is ()
[root@localhost new_cert]#
4、生成客户端公钥[root@localhost new_cert]# openssl rsa - client.key -pubout -out client.pem
writing RSA key
[root@localhost new_cert]#
[root@localhost new_cert]# ll
total -rw-r--r-- root root Jan : client.key
-rw-r--r-- root root Jan : client.pem
-rw-r--r-- root root Jan : server.key
-rw-r--r-- root root Jan : server.pem
[root@localhost new_cert]#
四、生成CA证书1、生成CA私钥 [root@localhost new_cert]# openssl genrsa -out ca.key Generating RSA private key, bit modulus
.....++++++
.........++++++
e is ()
[root@localhost new_cert]#
2、生成CA证书签名请求文件CSR [root@localhost new_cert]# openssl req -new -key ca.key -out ca.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter , the field will be left blank.
-----
Country Name ( letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_ca
Organizational Unit Name (eg, section) []:hl95_sms_ca
Common Name (eg, your name or your serverEmail Address []:
Please enter the following attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]#
3、使用私钥KEY文件和CSR文件签名生成CRT证书 [root@localhost new_cert]# openssl x509 -req - ca.csr -signkey ca.key -out ca.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=honglian95/OU=honglian95_hlsms/CN=test.hl95.com
Getting Private key
[root@localhost new_cert]#
五、生成服务器端和客户端CRT证书1、生成服务端签名请求CSR文件[root@localhost new_cert]# openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter , the field will be left blank.
-----
Country Name ( letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_server
Organizational Unit Name (eg, section) []:hl95_sms_server
Common Name (eg, your name or your serverEmail Address []:
Please enter the following attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]#
2、生成客户端签名请求CSR文件[root@localhost new_cert]# openssl req -new -key client.key -out client.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter , the field will be left blank.
-----
Country Name ( letter code) [XX]:cn
State or Province Name (full name) []:beijing
Locality Name (eg, city) [Default City]:chaoyang
Organization Name (eg, company) [Default Company Ltd]:hl95_client
Organizational Unit Name (eg, section) []:hl95_sms_client
Common Name (eg, your name or your serverEmail Address []:
Please enter the following attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:172.28.5.4
[root@localhost new_cert]#
这里服务端和客户端的Organization Name (eg, company)以及Organizational Unit Name都必须要和CA的不一样才可以 3、向刚才生成的自己的CA机构申请签名CRT证书(服务端和客户端)[root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial - server.csr -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4
Getting CA Private Key
[root@localhost new_cert]# openssl x509 -req -CA ca.crt -CAkey ca.key -CAcreateserial - client.csr -out client.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_client/OU=hl95_sms_client/CN=172.28.5.4
Getting CA Private Key [root@localhost new_cert]#
[root@localhost new_cert]# ll
total -rw-r--r-- root root Jan : ca.crt
-rw-r--r-- root root Jan : ca.csr
-rw-r--r-- root root Jan : ca.key
-rw-r--r-- root root Jan : ca.srl
-rw-r--r-- root root Jan : client.crt
-rw-r--r-- root root Jan : client.csr
-rw-r--r-- root root Jan : client.key
-rw-r--r-- root root Jan : client.pem
-rw-r--r-- root root Jan : server.crt
-rw-r--r-- root root Jan : server.csr
-rw-r--r-- root root Jan : server.key
-rw-r--r-- root root Jan : server.pem
[root@localhost new_cert]#
六、最后生成需要的key和crt文件[root@localhost new_cert]# openssl rsa - server.key -out server_nginx.key
writing RSA key
[root@localhost new_cert]# openssl x509 -req -days - server.csr -signkey server_nginx.key -out server_nginx.crt
Signature ok
subject=/C=cn/ST=beijing/L=chaoyang/O=hl95_server/OU=hl95_sms_server/CN=172.28.5.4
Getting Private key
[root@localhost new_cert]#
七、将key和crt文件上传到nginx上并配置nginx配置文件(https://.:8061) user nginx;
worker_processes ;
error_log /var/log/nginx/.log warn;
pid /var/run/nginx.pid;
events {
worker_connections ;
accept_mutex on;
multi_accept on;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
#log_format main
#
# ;
#access_log logs/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout ;
keepalive_timeout ;
# on;
upstream sms-web-wx {
server .:;
server .:;
}
server {
listen ;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
proxy_pass http:
proxy_set_header host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-forwarded- $proxy_add_x_forwarded_for;
}
error_page /50x.html;
location = /50x.html {
root html;
}
}
server {
listen ssl;
server_name zx.sms.web;
ssl_certificate /home/cert/server_nginx.crt;
ssl_certificate_key /home/cert/server_nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4;
ssl_protocols TLSv1 TLSv1. TLSv1.;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http:
proxy_set_header host $host;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header X-forwarded- $proxy_add_x_forwarded_for;
}
}
}
八、浏览器访问
点击继续浏览
再点击证书错误,查看证书
提示证书不受信任,点击“安装证书”
安装完毕,重启浏览器
不再出现证书错误提示了 internet选项-内容-证书
九、将crt格式证书转换为pfx格式证书(用于tomcat)[root@localhost new_cert]# openssl pkcs12 -export - server_nginx.crt -inkey server_nginx.key -out client.pfx
Enter Export Password:
Verifying - Enter Export Password:
参考链接:https://www.cnblogs.com/sky-cheng/p/15789441.html |
