SSL证书是数字证书的一种,因为配置在服务器上,也称为SSL服务器证书。它遵守SSL协议,由受信任的数字证书颁发机构CA,在验证服务器身份后颁发,具有服务器身份验证和数据传输加密功能。
SSL证书通过在客户端浏览器和Web服务器之间建立一条SSL安全通道,通过它可以激活SSL协议,实现数据信息在客户端和服务器之间的加密传输,可以防止数据信息的泄露。保证了双方传递信息的安全性,而且用户可以通过服务器证书验证他所访问的网站是否是真实可靠。
下面将演示在nginx环境下ssl的配置方式。
一、产生SSL密钥对
1、安装openssl
1
2
3
4
|
[root@plinuxos ~] # cd /usr/local/nginx/conf/
[root@plinuxos conf] # rpm -qf `which openssl`
openssl-1.0.1e-60.el7_3.1.x86_64 [root@plinuxos conf] # yum install -y openssl
|
2、设置私钥
1
2
3
4
5
6
7
8
9
10
11
|
[root@plinuxos conf] # openssl genrsa -des3 -out tmp.key 2048
Generating RSA private key, 2048 bit long modulus ..........................+++ ...........................................................................................................................................................+++ e is 65537 (0x10001) Enter pass phrase for tmp.key:
Verifying - Enter pass phrase for tmp.key:
[root@plinuxos conf] # openssl rsa -in tmp.key -out sykey.key ##取消密码,生成新的私钥文件
Enter pass phrase for tmp.key:
writing RSA key [root@plinuxos conf] # rm -rf tmp.key
|
3、生成证书请求文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
|
[root@plinuxos conf] # openssl req -new -key sykey.key -out key.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.' , the field will be left blank.
----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:shanghai Locality Name (eg, city) [Default City]:shanghai Organization Name (eg, company) [Default Company Ltd]:51cto Organizational Unit Name (eg, section) []:it Common Name (eg, your name or your server's hostname ) []:grodd
Email Address []:51cto.51cto.com Please enter the following 'extra' attributes
to be sent with your certificate request A challenge password []: pwd
An optional company name []:51cto |
4、生成公钥
1
2
3
4
|
[root@plinuxos conf] # openssl x509 -req -days 365 -in key.csr -signkey sykey.key -out gykey.crt
Signature ok subject= /C =cn /ST =shanghai /L =shanghai /O =51cto /OU =it /CN =grodd /emailAddress =51cto.51cto.com
Getting Private key |
二、Nginx配置SSL
1、编辑配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@plinuxos conf] # mkdir /data/wwwroot/test.com
[root@plinuxos conf] # vi /usr/local/nginx/conf/vhost/ssl.conf
server { listen 443;
server_name test .com;
index index.html index.php;
root /data/wwwroot/test .com;
ssl on;
ssl_certificate gykey.crt;
ssl_certificate_key sykey.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
} |
2、重新编译安装
1
2
3
4
5
6
7
|
[root@plinuxos conf] # cd /usr/local/src/nginx-1.12.1
[root@plinuxos nginx-1.12.1] # ./configure --prefix=/usr/local/nginx --with-http_ssl_module
[root@plinuxos nginx-1.12.1] # echo $?
0 [root@plinuxos nginx-1.12.1] # make && make install
[root@plinuxos nginx-1.12.1] # echo $?
0 |
3、检查与重载
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@plinuxos nginx-1.12.1] # /usr/local/nginx/sbin/nginx -V
nginx version: nginx /1 .12.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-11) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix= /usr/local/nginx --with-http_ssl_module
[root@plinuxos nginx-1.12.1] # /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx .conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx .conf test is successful
[root@plinuxos nginx-1.12.1] # /etc/init.d/nginx restart
Restarting nginx (via systemctl): [ OK ] [root@plinuxos nginx-1.12.1] # netstat -lntp |grep -i nginx
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2233 /nginx : master
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 2233 /nginx : master
|
4、测试效果
1
2
|
[root@plinuxos nginx-1.12.1] # cd /data/wwwroot/test.com/
[root@plinuxos test .com] # echo "ssl test" > index.html
|
本地测试
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
[root@plinuxos test .com] # vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 test .com
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 [root@plinuxos test .com] # curl https://test.com
curl: (60) Peer's certificate issuer has been marked as not trusted by the user. More details here: http: //curl .haxx.se /docs/sslcerts .html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you 'd like to turn off curl' s verification of the certificate, use
the -k (or --insecure) option.
|
远端测试
注意:由于模拟使用的是云主机,要确保安全组策略放过443端口。此外,系统的防火墙没有做任何限制。
本文转自Grodd51CTO博客,原文链接:http://blog.51cto.com/juispan/1956587,如需转载请自行联系原作者