openssl自签证书

openssl自签证书

1、自签证书测试
安装nginx

yum -y install nginx

检查nginx的ssl模块

[root@ docker ~]# nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-39) (GCC)
built with OpenSSL 1.0.2k-fips  26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/share/nginx --sbin-path=/usr/sbin/nginx --modules-
--with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-stream_ssl_preread_module 

2、准备私钥和证书
创建私钥

[root@ docker ~]# cd /etc/nginx/
[root@ docker nginx]# mkdir -p ssl
[root@ docker nginx]# cd ssl/
[root@ docker ssl]# openssl genrsa -des3 -out server.key 1024
Enter pass phrase for server.key:123456
Verifying - Enter pass phrase for server.key:123456
[root@ docker ssl]# ll
total 4
-rw-r--r-- 1 root root 963 2020-02-26 02:43 server.key

签发证书

[root@ docker ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key: 123456

Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:SDU
Organizational Unit Name (eg, section) []:BJ
Common Name (eg, your name or your server's hostname) []:wjj
Email Address []:[email protected]

A challenge password []:回车
An optional company name []:回车

删除私钥扣令

[root@ docker ssl]# cd /etc/nginx/ssl
[root@ docker ssl]# cp server.key server.key.ori
[root@ docker ssl]# openssl rsa -in server.key.ori -out server.key
Enter pass phrase for server.key.ori:123456

生成使用签名请求证书和私钥生成自签证书

[root@ docker ssl]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=SDU/OU=BJ/CN=wjj/emailAddress=[email protected]
Getting Private key
Enter pass phrase for server.key:密码

3、开启nginx ssl

#创建虚拟主机
[root@ docker conf.d]# mkdir -p /etc/nginx/html
[root@ docker conf.d]# vim hack.conf
server {
    listen       443 ssl;
    server_name  www.hack.com;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    #定义站点目录
        root    /etc/nginx/html;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

[root@ docker conf.d]# nginx -t
[root@ docker conf.d]# nginx -s reload

绑定window的hosts，然后用浏览器访问https://www.hack.com/hack.html

10.0.0.41 www.hack.com

此时，你会发现，http://www.hack.com/hack.html，浏览器访问不了了（注意浏览器缓存），这时就需要将80端口重定向到443端口。

4、rewrite跳转

以上配置有个不好的地方，如果用户忘了使用https或者443端口，那么网站将无法访问，因此需要将80端口的访问转到443端口并使用ssl加密访问。只需要增加一个server段，使用301永久重定向。

[root@ docker conf.d]# vim hack.conf
server {
    listen 80;
    server_name www.hack.com;
    rewrite ^(.*) https://$server_name$1 permanent;
}

server {
    listen       443 ssl;
    server_name  www.hack.com;

    ssl_certificate /etc/nginx/ssl/server.crt;
    ssl_certificate_key /etc/nginx/ssl/server.key;

    # Load configuration files for the default server block.
    include /etc/nginx/default.d/*.conf;

    location / {
    #定义站点目录
        root    /etc/nginx/html;
    }

    error_page 404 /404.html;
        location = /40x.html {
    }

    error_page 500 502 503 504 /50x.html;
        location = /50x.html {
    }
}

[root@ docker conf.d]# nginx -t
[root@ docker conf.d]# nginx -s reload

这时，浏览器访问http://www.hack.com/hack.html，nginx会将请求跳转到https://www.hack.com/hack.html，详细可以查看nginx日志。