Nginx Https配置Create us a key. Don't bother putting apassword on it since you will need it to start apache. If you have a betterwork around I'd love to hear it.HTTPSserver

30.1 文檔目的... 2

30.2 文檔内容... 2

30.3 單向認證與雙向認證的概念... 2

30.3.1 什麼是單向認證... 2

30.3.2 什麼是雙向認證... 2

30.4 openssl的介紹... 3

30.5 Nginx單雙向ssl的配置前提... 4

30.6 使用openssl制作證書... 4

30.6.1 伺服器單項認證... 4

30.6.1.1 建立并進入sslkey存放目錄... 4

30.6.1.2 生成RSA密鑰... 4

30.6.1.3 生成一個證書請求... 5

30.6.1.4 修改nginx的主配置檔案... 5

30.6.1.5 驗證結果... 7

30.6.2 伺服器用戶端雙向認證... 7

30.6.2.1 分别建立證書各自存放目錄... 7

30.6.2.2 使用腳本建立新根CA憑證... 9

30.6.2.3 使用腳本生成伺服器證書... 12

30.6.2.4 配置Nginx的主配置檔案... 16

30.6.2.5 驗證結果... 18

30.6.2.6 通路出現400 BadReques解決辦法生成用戶端證書... 18

30.6.2.7 再次驗證結果... 23

30.6.2.8 做Nginx-SSL注意事項... 24

30.1 文檔目的

30.2 文檔内容

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default CompanyLtd]:bj

Organizational Unit Name (eg, section) []:bj

Common Name (eg, your name or your server'shostname) []:www.etiantian.org

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

Signature okbr/>subject=/C=cn/ST=bj/L=bj/O=bj/OU=bj/CN=www.etiantian.org/[email protected]

Getting Private key

Using configuration from/application/nginx/ca/conf/openssl.conf

3、檢視生成的CA憑證并保證裡邊有内容

30.6.2.3 使用腳本生成伺服器證書

1、檢視腳本内容

[root@LNMP ~]# cd /application/nginx/ca/

[root@LNMP ca]# cat new_server.sh

建立伺服器私鑰

openssl genrsa -out server/server.key

利用私鑰建立一個證書簽名請求

openssl req -new -key server/server.key -outserver/server.csr

openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"

2、執行腳本建立生成伺服器證書

[root@LNMP ca]#sh new_server.sh

Generating RSAprivate key, 1024 bit long modulus

.....................++++++

...........................................................++++++

e is 65537(0x10001)

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter'.', the field will be left blank.

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server's hostname) []:www.etiantian.org

Email Address[]:[email protected]

Please enter thefollowing 'extra' attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Using configurationfrom /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject'sDistinguished Name is as follows

countryName :PRINTABLE:'cn'

stateOrProvinceName :ASN.1 12:'bj'

localityName :ASN.1 12:'bj'

organizationName :ASN.1 12:'bj'

organizationalUnitName:ASN.112:'bj'

commonName :ASN.1 12:'www.etiantian.org'

emailAddress :IA5STRING:'[email protected]'

Certificate isto be certified until Mar 5 10:14:252016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

3、檢視生成的伺服器證書裡邊有内容否則後邊會報錯

30.6.2.4 配置Nginx的主配置檔案

[root@LNMP ~]#cat /application/nginx/conf/nginx.conf

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

Usingconfiguration from /application/nginx/ca/conf/openssl.conf

Certificate isto be certified until Mar 5 10:24:172016 GMT (365 days)

Data BaseUpdated

Enter passphrase for /application//nginx/ca/users/client.key:

Enter ExportPassword:

Verifying -Enter Export Password:

3、檢視生成的證書

将client.p12下載下傳到本地桌面

[root@LNMP ~]#cd /application/nginx-1.6.2/ca/users/

[root@LNMPusers]# sz -y client.p12

30.6.2.7 再次驗證結果

在浏覽器中輸入https://www.etiantian.org通路添加剛才下載下傳下來的證書就可以正常通路了！

wKiom1huAzzirDOjAABv48gdUB4144.png

在這裡是将你剛才從伺服器上下載下傳下來的client.p12導入就OK了！

wKioL1huAzzw4VqvAABtkL24bRY788.png

wKiom1huA0DDDcjOAABcsvxn0LM352.png

wKiom1huA0Di8jKbAABVRRB2xMM800.png

wKioL1huA0DTesTFAABVyBPtHxs566.png

30.6.2.8 做Nginx-SSL注意事項

1、制作證書時會提示輸入密碼，伺服器證書和用戶端證書密碼可以不相同。

2、伺服器證書和用戶端證書制作時提示輸入省份、城市、域名資訊等，需保持一緻。

3、Nginx預設未開啟SSI，上面配置已開啟。

說明：本内容來自老男孩教育（www.oldboyedu.com）王同學的筆記！