Nginx Https配置Create us a key. Don't bother putting apassword on it since you will need it to start apache. If you have a betterwork around I'd love to hear it.HTTPSserver

30.1 文档目的... 2

30.2 文档内容... 2

30.3 单向认证与双向认证的概念... 2

30.3.1 什么是单向认证... 2

30.3.2 什么是双向认证... 2

30.4 openssl的介绍... 3

30.5 Nginx单双向ssl的配置前提... 4

30.6 使用openssl制作证书... 4

30.6.1 服务器单项认证... 4

30.6.1.1 创建并进入sslkey存放目录... 4

30.6.1.2 生成RSA密钥... 4

30.6.1.3 生成一个证书请求... 5

30.6.1.4 修改nginx的主配置文件... 5

30.6.1.5 验证结果... 7

30.6.2 服务器客户端双向认证... 7

30.6.2.1 分别创建证书各自存放目录... 7

30.6.2.2 使用脚本创建新根CA证书... 9

30.6.2.3 使用脚本生成服务器证书... 12

30.6.2.4 配置Nginx的主配置文件... 16

30.6.2.5 验证结果... 18

30.6.2.6 访问出现400 BadReques解决办法生成客户端证书... 18

30.6.2.7 再次验证结果... 23

30.6.2.8 做Nginx-SSL注意事项... 24

30.1 文档目的

30.2 文档内容

Country Name (2 letter code) [XX]:cn

State or Province Name (full name) []:bj

Locality Name (eg, city) [Default City]:bj

Organization Name (eg, company) [Default CompanyLtd]:bj

Organizational Unit Name (eg, section) []:bj

Common Name (eg, your name or your server'shostname) []:www.etiantian.org

Email Address []:[email protected]

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:123456

An optional company name []:123456

Signature okbr/>subject=/C=cn/ST=bj/L=bj/O=bj/OU=bj/CN=www.etiantian.org/[email protected]

Getting Private key

Using configuration from/application/nginx/ca/conf/openssl.conf

3、查看生成的CA证书并保证里边有内容

30.6.2.3 使用脚本生成服务器证书

1、查看脚本内容

[root@LNMP ~]# cd /application/nginx/ca/

[root@LNMP ca]# cat new_server.sh

创建服务器私钥

openssl genrsa -out server/server.key

利用私钥创建一个证书签名请求

openssl req -new -key server/server.key -outserver/server.csr

openssl ca -in server/server.csr -certprivate/ca.crt -keyfile private/ca.key -out server/server.crt -config"/application/nginx/ca/conf/openssl.conf"

2、执行脚本创建生成服务器证书

[root@LNMP ca]#sh new_server.sh

Generating RSAprivate key, 1024 bit long modulus

.....................++++++

...........................................................++++++

e is 65537(0x10001)

You are about tobe asked to enter information that will be incorporated

into yourcertificate request.

What you areabout to enter is what is called a Distinguished Name or a DN.

There are quitea few fields but you can leave some blank

For some fieldsthere will be a default value,

If you enter'.', the field will be left blank.

Country Name (2letter code) [XX]:cn

State orProvince Name (full name) []:bj

Locality Name(eg, city) [Default City]:bj

OrganizationName (eg, company) [Default Company Ltd]:bj

OrganizationalUnit Name (eg, section) []:bj

Common Name (eg,your name or your server's hostname) []:www.etiantian.org

Email Address[]:[email protected]

Please enter thefollowing 'extra' attributes

to be sent withyour certificate request

A challengepassword []:123456

An optionalcompany name []:123456

Using configurationfrom /application/nginx/ca/conf/openssl.conf

Check that therequest matches the signature

Signature ok

The Subject'sDistinguished Name is as follows

countryName :PRINTABLE:'cn'

stateOrProvinceName :ASN.1 12:'bj'

localityName :ASN.1 12:'bj'

organizationName :ASN.1 12:'bj'

organizationalUnitName:ASN.112:'bj'

commonName :ASN.1 12:'www.etiantian.org'

emailAddress :IA5STRING:'[email protected]'

Certificate isto be certified until Mar 5 10:14:252016 GMT (365 days)

Sign thecertificate? [y/n]:y

1 out of 1certificate requests certified, commit? [y/n]y

Write outdatabase with 1 new entries

3、查看生成的服务器证书里边有内容否则后边会报错

30.6.2.4 配置Nginx的主配置文件

[root@LNMP ~]#cat /application/nginx/conf/nginx.conf

worker_processes 1;

events {

worker_connections 1024;

}

http {

include mime.types;

default_type application/octet-stream;

sendfile on;

keepalive_timeout 65;

Usingconfiguration from /application/nginx/ca/conf/openssl.conf

Certificate isto be certified until Mar 5 10:24:172016 GMT (365 days)

Data BaseUpdated

Enter passphrase for /application//nginx/ca/users/client.key:

Enter ExportPassword:

Verifying -Enter Export Password:

3、查看生成的证书

将client.p12下载到本地桌面

[root@LNMP ~]#cd /application/nginx-1.6.2/ca/users/

[root@LNMPusers]# sz -y client.p12

30.6.2.7 再次验证结果

在浏览器中输入https://www.etiantian.org访问添加刚才下载下来的证书就可以正常访问了！

wKiom1huAzzirDOjAABv48gdUB4144.png

在这里是将你刚才从服务器上下载下来的client.p12导入就OK了！

wKioL1huAzzw4VqvAABtkL24bRY788.png

wKiom1huA0DDDcjOAABcsvxn0LM352.png

wKiom1huA0Di8jKbAABVRRB2xMM800.png

wKioL1huA0DTesTFAABVyBPtHxs566.png

30.6.2.8 做Nginx-SSL注意事项

1、制作证书时会提示输入密码，服务器证书和客户端证书密码可以不相同。

2、服务器证书和客户端证书制作时提示输入省份、城市、域名信息等，需保持一致。

3、Nginx默认未开启SSI，上面配置已开启。

说明：本内容来自老男孩教育（www.oldboyedu.com）王同学的笔记！