使用openssl生成证书，并通过Nginx配置

wintelsui 2022-07-06 发布于北京

展开全文

创建服务器证书密钥文件 server.key

openssl genrsa -des3 -out server.key 2048

这个时候会提示输入密码这个密码要记住

openssl语法

openssl  genrsa [-out filename] [-passout arg] [-f4] [-3] [-rand file(s)] [-engine id] [numbits] [-des] [-des3] [-idea]

usage: genrsa [args] [numbits]
 -des            encrypt the generated key with DES in cbc mode
 -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)
 -idea           encrypt the generated key with IDEA in cbc mode
 -seed
                 encrypt PEM output with cbc seed
 -aes128, -aes192, -aes256
                 encrypt PEM output with cbc aes
 -camellia128, -camellia192, -camellia256
                 encrypt PEM output with cbc camellia
 -out file       output the key to 'file
 -passout arg    output file pass phrase source
 -f4             use F4 (0x10001) for the E value
 -3              use 3 for the E value
 -engine e       use engine e, possibly a hardware device.
 -rand file:file:...
                 load the file (or the files in the directory) into
                 the random number generator

创建服务器证书的申请文件 server.csr

openssl req -new -key server.key -out server.csr

会要求输入下面内容

输出内容为：

Enter pass phrase for root.key: 输入前面创建的密码

Country Name (2 letter code) [AU]:CN 国家代号，中国输入CN

State or Province Name (full name) [Some-State]:BeiJing 省的全名，拼音

Locality Name (eg, city) []:BeiJing 市的全名，拼音

Organization Name (eg, company) [Internet Widgits Pty Ltd]:Yvioo 公司英文名(可以随便输入)

Organizational Unit Name (eg, section) []: 单位名可以不输入

Common Name (eg, YOUR name) []: 输入你的名字

Email Address []:admin@mycompany.com 电子邮箱随便填

Please enter the following 'extra’ attributes

to be sent with your certificate request

A challenge password []: 可以不输入

An optional company name []: 可以不输入

备份一份服务器密钥文件

cp server.key server.key.org

去除文件口令

openssl rsa -in server.key.org -out server.key

会要求输入之前的密码输入一开始的密码

生成证书文件server.crt

openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

然后文件夹下会有四个文件

配置Nginx的证书

这个路径根据自己的来

# HTTPS server
    #
    server {
        listen       443 ssl;
        server_name  localhost;

        ssl_certificate      /usr/share/nginx/html/ssl/server.crt;
        ssl_certificate_key  /usr/share/nginx/html/ssl/server.key;

        ssl_session_cache    shared:SSL:1m;
        ssl_session_timeout  5m;

        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   /usr/share/nginx/html;
            index  index.html index.htm;
        }
    }

只允许使用ssl方式访问

对应相关的修改为就是把上面的ssl去掉了