SSL 证书是一种数字证书,它使用 Secure Socket Layer 协议在浏览器和 Web 服务器之间建立一条安全通道,从而实现:
1、数据信息在客户端和服务器之间的加密传输,保证双方传递信息的安全性,不可被第三方窃听;
2、用户可以通过服务器证书验证他所访问的网站是否真实可靠。
一、环境介绍
操作系统:centos 7
IP: 192.168.10.21
二、部署步骤
查看是否安装openssl
rpm -qa | grep openssl
openssl-libs-1.0.1e-51.el7_2.7.x86_64
openssl-1.0.1e-51.el7_2.7.x86_64
创建私钥
openssl genrsa -out 192.168.10.21.key 2048
创建签名请求的证书(CSR):
openssl req -new -key 192.168.10.21.key -out 192.168.10.21.csr
查看 CSR
[root@localhost ~]# ll 192.168.10.21.csr
-rw-r--r-- 1 root root 952 Apr 21 10:48 192.168.10.21.csr
加载SSL支持的Nginx并使用上述私钥时除去必须的口令:
cp 192.168.10.21.key 192.168.10.21.key.org
openssl rsa -in 192.168.10.21.key.org -out 192.168.10.21.key
标记证书使用上述私钥和CSR
openssl x509 -req -days 365 -in 192.168.10.21.csr -signkey 192.168.10.21.key -out 192.168.10.21.crt
创建ssl 目录
mkdir -pv /etc/nginx/ssl
拷贝证书文件
cp 192.168.10.21.crt 192.168.10.21.key /etc/nginx/ssl
修改 nginx 配置文件
vim /etc/nginx/ssl
改
# Settings for a TLS enabled server.
#
# server {
# listen 443 ssl http2 default_server;
# listen [::]:443 ssl http2 default_server;
# server_name _;
# root /usr/share/nginx/html;
#
# ssl_certificate "/etc/pki/nginx/server.crt";
# ssl_certificate_key "/etc/pki/nginx/private/server.key";
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 10m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
#
# # Load configuration files for the default server block.
# include /etc/nginx/default.d/*.conf;
#
# location / {
# }
#
# error_page 404 /404.html;
# location = /40x.html {
# }
#
# error_page 500 502 503 504 /50x.html;
# location = /50x.html {
# }
# }
为
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name _;
root /usr/share/nginx/html;
ssl_certificate "ssl/192.168.10.21.crt";
ssl_certificate_key "ssl/192.168.10.21.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
检查配置文件、重新加载
nginx -t -c /etc/nginx/nginx.conf
nginx -s reload
测试
本文转自 水滴石川1 51CTO博客,原文链接:http://blog.51cto.com/sdsca/1918216,如需转载请自行联系原作者