1.下载nginx(安装gcc,openssl,pcre等依赖,下载nginx的tar包,解压)
2.安装nginx(./configure --prefix=/usr/local/nginx --with-http_ssl_module;make;make install)
3.自签ca证书:
3.1:建立一个目录cert并进入
3.2:生成CA私钥(openssl genrsa -outlocal.key2048)
3.3:生成CA证书请求(openssl req -new-key local.key -out local.csr)
Country Name (2 letter code) [XX]:CN #国家10State or Province Name (full name) []:BJ #省份11Locality Name (eg, city) [Default City]:BJ #城市12Organization Name (eg, company) [Default Company Ltd]:13Organizational Unit Name (eg, section) []:test #部门14Common Name (eg, your name or your server's hostname) []:test #主机名15Email Address []:test@test.com #邮箱1617Please enter the following'extra' attributes18to be sent with your certificate request19A challenge password []:wuminyan #密码20An optional company name []:wuminyan #姓名
3.4:生成CA根证书(openssl x509 -req -inlocal.csr -extensions v3_ca -signkey local.key -out local.crt)
4.根据CA证书创建server端证书
4.1:生成server私匙(openssl genrsa -outmy_server.key2048)
4.2:生成server证书请求(openssl x509 -req -inlocal.csr -extensions v3_ca -signkey local.key -out local.crt)
4.3:生成server证书(openssl x509 -days365-req -inmy_server.csr -extensions v3_req -CAkey local.key -CA local.crt -CAcreateserial -out my_server.crt)
此时就生成了所有需要的证书:local.crt local.csr local.key local.srl my_server.crt my_server.csr my_server.key
5.配置nginx,修改conf下的nginx配置,如果是默认的nginx.conf,只需放开以下这段配置即可,然后修改ssl_certificate和ssl_certificate_key为服务端的证书和秘钥文件
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/cert/my_server.crt;
ssl_certificate_key /usr/local/nginx/cert/my_server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
6.启动nginx即可,访问chrome,发现证书不受信任,可通过设置-》证书管理导入ca的crt文件
网友评论