Linux中nginx配置
生成私钥,生成证书签署请求并获得证书,然后在nginx.conf中配置如下内容: openssl实现私有CA:CA的配置文件:/etc/pki/tls/openssl.cnf
①CA生成一对密钥
# cd /etc/pki/CA/
# (umask 077;openssl genrsa -out private/cakey.pem 2048) #生成秘钥
# openssl rsa -in private/cakey.pem -pubout #提取公钥
②CA生成自签署证书
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365 #生成自签署证
# openssl x509 -text -in cacert.pem #读出cacert.pem证书的内容
# mkdir certs newcerts crl
# touch index.txt && echo 01 > serial
③客户端(例如httpd服务器)生成秘钥
# mkdir ssl
# cd ssl/
# (umask 077;openssl genrsa -out nginx.key 2048)
# ls
nginx.key
④客户端生成证书签署请求
# openssl req -new -key nginx.key -days 365 -out nginx.csr
# ls
nginx.csrnginx.key #公钥私钥
⑤客户端把证书签署请求文件发送给CA
scp httpd.csr root@CA端IP:/root
⑥CA签署客户端提交上来的证书
# openssl ca -in ./nginx.csr -out nginx.crt -days 365
# ls
nginx.crtnginx.csrnginx.key
⑦CA把签署好的证书httpd.crt发给客户端
scp httpd.crt root@客户端IP:/etc/httpd/ssl/
//生成公钥私钥后配置nginx.conf配置文件
# vim /usr/local/nginx/conf/nginx.conf
#添加的server模块
server {
listen 443 ssl;
server_namewww.lanzhiyong.com;
ssl_certificate /usr/local/nginx/ssl/nginx.crt;
ssl_certificate_key /usr/local/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout5m;
ssl_ciphersHIGH:!aNULL:!MD5;
ssl_prefer_server_cipherson;
location / {
root html;
indexindex.html index.htm;
}
}
//用https通过IP访问
页:
[1]