nginx ssl证书配置
nginx ssl证书配置
一、概述
配置成安全的https协议访问,需要ssl证书消除危险标识
https是超文本传输安全协议,是一种网络安全传输协议。http协议传输的数据都没有加密,一些私密的信息不安全,https经由超文本传输协议(http)进行通信,利用SSL/TLS来加密数据包,https开发的主要目的就是为了保护数据传输的安全性。
二、生成背景
通过安全机制判断
2.1、安全域名(绿色https://)
生成前提:外网能够访问的域名,自行申请。需要外部机制检测,确保域名安全,才可将域名编入安全
生成方法:https://www.jianshu.com/p/ceac8a4f6d03
2.2、非安全域名(红色https://)
生成前提:内外网均可
生成方法:openssl
三、yum安装的nginx配置
3.1、安装openssl
Linux系统默认安装了openssl
3.2、安装依赖
3.2.1、检查Nginx的SSL模块是否安装
可见,yum安装的nginx已经自行安装了ssl模块
3.3、准备私钥和证书
3.3.1、创建带密码的私钥
openssl genrsa -des3 -out server.key 1024
(genrsa:生成私钥工具 | -des3:加密,下面命令表示密码为123456 | server.key:秘钥文件 | 1024:1024位rsa私钥 )
或:openssl genrsa -out server.key -passout pass:123456 -des3 1024
[[email protected] key]# openssl genrsa -out server.key -passout pass:123456 -des3 1024
Generating RSA private key, 1024 bit long modulus
.....++++++
.....++++++
e is 65537 (0x10001)
3.3.2、签发证书(证书请求文件)
openssl req -new -key server.key -out server.csr
(req:生成证书请求文件工具 | new:新的 | server.key:上面生成的秘钥 | server.csr:证书请求文件)
|
参数 |
意义 |
|
C |
国家 |
|
ST |
州 |
|
L |
本地名称 |
|
O |
组织名称 |
|
OU |
组织单元名称 |
|
CN |
命令名称 |
参考:https://www.jianshu.com/p/b932ca0726f3
[[email protected] key]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: ####这里键入了私钥密码:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HN
Locality Name (eg, city) [Default City]:HN
Organization Name (eg, company) [Default Company Ltd]:TGC
Organizational Unit Name (eg, section) []:TGC
Common Name (eg, your name or your server's hostname) []:TGC
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ###不键入
An optional company name []: ###不键入
3.3.3、删除服务器私钥口令(可不执行)
cp server.key server.key.ori
openssl rsa -in server.key.ori -out server.key
[[email protected] key]# cp server.key server.key.ori
[[email protected] key]# ls
server.csr server.key server.key.ori
[[email protected] key]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:
writing RSA key
3.3.4、生成使用签名请求证书和私钥生成自签证书
openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
[[email protected] key]# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=CN/ST=HN/L=HN/O=TGC/OU=TGC/CN=TGC/[email protected]
Getting Private key
[[email protected] key]#
3.4、创建nginx ssl证书配置文件
默认配置
[[email protected] conf.d]# cat tg-t7.conf
server {
listen 443;
server_name www.tg-t7.com;
ssl_certificate /etc/nginx/conf.d/key/server.crt;
ssl_certificate_key /etc/nginx/conf.d/key/server.key;
location / {
root /opt/nginx/tg-t7;
index index.htm index.html;
}
}
四、域名访问
在浏览器访问:https://www.tg-t7.com/
访问成功,但是是不安全的证书配置,所以https显示红标