nginx +location + https
客户端 # openssl genrsa 2048 > siyao.keys (创建私钥)Generating RSA private key, 2048 bit long modulus
...............................................................................+++
.+++
e is 65537 (0x10001)
# chmod 400 siyao.keys (给予最小权限)
# openssl req -new -key siyao.keys -out siyao.csr(创建证书办法请求)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN (国家)
State or Province Name (full name) []:shanghai(省份)
Locality Name (eg, city) :shanghai (市区)
Organization Name (eg, company) :boke(公司名)
Organizational Unit Name (eg, section) []:boke - cainiao(部门)
Common Name (eg, your name or your server's hostname) []:www.abc.com(要加密的RUL)
Email Address []:boke@boke.com(邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: (这里不要写密码,CA哪里一会解不开密码,自签名。。)
An optional company name []:(这里也跳过)
# ls
siyao.csrsiyao.keys (生成一份.csr的文件)
# scp siyao.csr 192.168.1.115:/root (在我使用scp传输文件时,碰到了问题,因为之前做过NAT。网关上
把icmp阻塞了,并且用的策略是block return,所以返回一个目标不可到达的包给你。)
ssh: connect to host 192.168.1.115 port 22: No route to host
# scp siyao.csr 192.168.1.115:/root (传过去了)
The authenticity of host '192.168.1.115 (192.168.1.115)' can't be established.
RSA key fingerprint is ce:73:07:c4:4c:f3:2b:1b:21:c7:92:31:27:53:be:cf.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.115' (RSA) to the list of known hosts.
root@192.168.1.115's password:
siyao.csr
# CA端
# openssl genrsa -des3 -out ca.key 4096(生成公私钥,做自签名)
Generating RSA private key, 4096 bit long modulus
............................++
.......................++
e is 65537 (0x10001)
Enter pass phrase for ca.key: (自签名密码要记住,一会自签名过程要用到)
Verifying - Enter pass phrase for ca.key:
# ls
anaconda-ks.cfgca.keysiyao.csr
# openssl req -new -x509 -days 365 -key ca.key -out ca.crt(自签名)
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) :CN
State or Province Name (full name) []:shanghai
Locality Name (eg, city) :shanghai
Organization Name (eg, company) :NSA
Organizational Unit Name (eg, section) []:FBI
Common Name (eg, your name or your server's hostname) []:www.boke.com
Email Address []:
# ls
anaconda-ks.cfgca.crtca.keysiyao.csr
# openssl x509 -req -days 365 -in siyao.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out siyao.crt(
给客户端颁发证书)
Signature ok
subject=/C=CN/ST=shanghai/L=shanghai/O=boke/OU=boke - cainiao/CN=www.abc.com/emailAddress=boke@boke.com
Getting CA Private Key
Enter pass phrase for ca.key:
# ls
anaconda-ks.cfgca.crtca.keysiyao.crtsiyao.csr
# scp siyao.crt 192.168.1.3:/etc/pki/CA/keyes (回传给客户端)
The authenticity of host '192.168.1.3 (192.168.1.3)' can't be established.
RSA key fingerprint is bd:4d:15:99:19:a7:d7:fb:6e:0a:91:b0:b7:62:04:73.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.3' (RSA) to the list of known hosts.
root@192.168.1.3's password:
siyao.crt 100% 1590 1.6KB/s
00:00
# ls
anaconda-ks.cfgca.crtca.keysiyao.crtsiyao.csr
客户端keyes目下要有私钥,公钥,证书
# ls
siyao.crtsiyao.csrsiyao.keys
# pwd
/etc/pki/CA/keyes
页:
[1]