生成key文件html
#genrsa 使用idea算法,生成rsa证书,证书名为 debug.siguoya.name.key,1024表示位数 openssl genrsa -idea -out debug.siguoya.name.key 1024 #设置证书密码,在生成csr与crt文件的时候须要用到 #Enter pass phrase for debug.siguoya.name.key: #Verifying - Enter pass phrase for debug.siguoya.name.key:
经过key文件,生成csr文件node
openssl req -new -key debug.siguoya.name.key -out debug.siguoya.name.csr Enter pass phrase for debug.siguoya.name.key: #输入刚才建立的key文件时设置的密码便可 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:GuangDong Locality Name (eg, city) [Default City]:GuangZhou Organization Name (eg, company) [Default Company Ltd]:company Organizational Unit Name (eg, section) []:section Common Name (eg, your name or your servers hostname) []:debug.siguoya.name Email Address []:924714558@qq.com Please enter the following extra attributes to be sent with your certificate request #与上述建立key文件的密码不同,直接留空便可 A challenge password []: An optional company name []:
将key文件与csr文件进行打包,生成crt文件nginx
#-days指定证书的过时时间,如下指定为10年 openssl x509 -req -days 3650 -in debug.siguoya.name.csr -signkey debug.siguoya.name.key -out debug.siguoya.name.crt
server{ listen 443 ssl; server_name debug.siguoya.name; ssl_certificate /etc/nginx/debug.siguoya.name.crt; ssl_certificate_key /etc/nginx/debug.siguoya.name.key; location / { root /path/to/project; index index.html; } }
上述配置对于crt证书、pem证书,都适用。配置完以后,须要 nginx -s stop && nginx
。若是访问时报错 https Connection refused
,能够使用nmap
检查一下服务器是否开放了443端口。算法
配置完成以后,发现每次重启nginx,都会要求咱们输入证书的密码,这个能够经过以下方式来解决shell
openssl rsa -in ./debug.siguoya.name.key -out ./debug.siguoya.name.nopass.key
而后修改证书文件为免密码证书文件segmentfault
ssl_certificate_key /etc/nginx/debug.siguoya.name.nopass.key;
检测地址1: https://myssl.com/ats.html
检测地址2: https://www.qcloud.com/produc...
升级 centos7
默认的 openssl 1.0.1
版本centos
wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz tar -zxvf openssl-1.0.2k.tar.gz cd openssl-1.0.2k ./config --prefix=/usr/local/openssl/1.0.2 make && make install mv /usr/bin/openssl /usr/bin/openssl.bak mv /usr/include/openssl /usr/include/openssl.bak ln -s /usr/local/openssl/1.0.2/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/1.0.2/include/openssl /usr/include/openssl echo '/usr/local/openssl/1.0.2/lib' >> /etc/ld.so.conf ldconfig -v openssl version
#查看openssl版本,OpenSSL 1.0.1e-fips 11 Feb 2013 openssl version #查看哈希算法签名,sha1WithRSAEncryption openssl x509 -noout -text -in ./debug.siguoya.name.crt
若是生成crt文件时,直接使用keyout选项,则无需在 nginx 重启的时候,输入证书密码跨域
openssl req -x509 -days 3650 -sha256 -nodes -newkey rsa:2048 -keyout debug.siguoya.name.key -out debug.siguoya.name.crt
keepalive_timeout 100; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on;
若是咱们不想让用户经过HTTP来访问,则能够经过以下配置来强制HTTP访问为HTTPS访问浏览器
server { listen 80; server_name debug.siguoya.name; location / { return 301 https://debug.siguoya.name$request_uri; } }
##查看证书列表 openssl crl2pkcs7 -nocrl -certfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout #查看证书Common Name列表 openssl crl2pkcs7 -nocrl -certfile /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem | openssl pkcs7 -print_certs -text -noout | grep 'CN=' | grep 'Subject'