Nginx Https配置

默认情况下ssl模块并未被安装，如果要使用该模块则需要在编译时指定–with-http_ssl_module参数，安装模块依赖于OpenSSL库和一些引用文件，通常这些文件并不在同一个软件包中。通常这个文件名类似libssl-dev。


1、创建私钥
openssl genrsa -des3 -out niubiyuming.key 1024
2、创建签名请求的证书（CSR）：
openssl req -new -key niubiyuming.key -out niubiyuming.csr
3、创建Nginx证书key
cp niubiyuming.key niubiyuming.key.org
openssl rsa -in niubiyuming.key.org -out niubiyuming.key
4、配置nginx


server {
listen 80;
server_name _;
access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.jsp;


#location ~ { }
location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
}

    server {
listen 443;
server_name www.xxxx.com;
ssl on;
ssl_certificate /data/zs/nginx/niubiyuming.crt;
ssl_certificate_key /data/zs/nginx/niubiyuming.key;

access_log /data/wwwlogs/access_nginx.log combined;
root /data/wwwroot/default;
index index.html index.htm index.jsp;
#location ~ {}

location ~ {
proxy_pass http://127.0.0.1:8080;
include proxy.conf;
}
    }

5、访问测试：
https://www.xxxx.com
http://www.xxxx.com


6、证书相关信息
Country Name (2 letter code) [XX]:CN  #国家地区
State or Province Name (full name) []:zhejiang  #城市
Locality Name (eg, city) [Default City]:hangzhou  #当地名称
Organization Name (eg, company) [Default Company Ltd]: niubiyuming #组织名称
Organizational Unit Name (eg, section) []:IT  #组织部门名称
Common Name (eg, your name or your server's hostname) []:www.xxxx.com #通用名称（例如，您的姓名或您的服务器的主机名）,随便写
Email Address []:[email protected]  #邮箱
Please enter the following 'extra' attributes 
to be sent with your certificate request #添加一个“额外”的属性，让客户端发送CA证书,请求文件时，要输入的密 
A challenge password []: #直接加车 
An optional company name []:#直接加车
Using configuration from /etc/pki/tls/openssl.cnf #CA服务器的配置文件。上面修改的内容会添加到这个配置文件中

Enter pass phrase for /etc/pki/CA/private/./cakey.pem: 123456 #输入刚才保护CA密钥的密码

7、第三方证书处理：

工具： https://csr.chinassl.net/keytool-commands.html

https://www.startssl.com/
###### openssl req -newkey rsa:2048 -keyout yourname.key -out yourname.csr
###### openssl req -new -key yourname.key -out 第三方证书名称.csr
###### cp yourname.key yourname.key.org
###### openssl rsa -in yourname.key.org -out yourname.key

8、第三方证书处理2：

1）生成keystore文件 : keytool -genkey -alias www.XXX.com -keyalg RSA -keystore XXX.keystore -keysize 2048
2) 生成CSR文件 : keytool -certreq -keyalg RSA -alias www.XXX.com -file XXXcertreq.csr -keystore XXX.keystore

CSR文件提交给发证机构，最后得到一个证书。
3) 生成key文件 : java ExportPriv XXX.keystore www.XXX.com 密码
这样可以得到 key ,把key保存为 XXX.key文件即可。

9、JAVA-exportpriv

Base64Coder  class 

// Copyright 2003-2010 Christian d'Heureuse, Inventec Informatik AG, Zurich, Switzerland
// www.source-code.biz, www.inventec.ch/chdh
//
// This module is multi-licensed and may be used under the terms
// of any of the following licenses:
//
//  EPL, Eclipse Public License, V1.0 or later, http://www.eclipse.org/legal
//  LGPL, GNU Lesser General Public License, V2.1 or later, http://www.gnu.org/licenses/lgpl.html
//  GPL, GNU General Public License, V2 or later, http://www.gnu.org/licenses/gpl.html
//  AL, Apache License, V2.0 or later, http://www.apache.org/licenses
//  BSD, BSD License, http://www.opensource.org/licenses/bsd-license.php
//  MIT, MIT License, http://www.opensource.org/licenses/MIT
//
// Please contact the author if you need another license.
// This module is provided "as is", without warranties of any kind.

//package base64Coder;

/**
* A Base64 encoder/decoder.
*
* 

* This class is used to encode and decode data in Base64 format as described in RFC 1521.
*
* 

* Project home page: www.source-code.biz/base64coder/java

* Author: Christian d'Heureuse, Inventec Informatik AG, Zurich, Switzerland

* Multi-licensed: EPL / LGPL / GPL / AL / BSD / MIT.
*/
public class Base64Coder {

// The line separator string of the operating system.
private static final String systemLineSeparator = System.getProperty("line.separator");

// Mapping table from 6-bit nibbles to Base64 characters.
private static final char[] map1 = new char[64];
   static {
      int i=0;
      for (char c='A'; c<='Z'; c++) map1[i++] = c;
      for (char c='a'; c<='z'; c++) map1[i++] = c;
      for (char c='0'; c<='9'; c++) map1[i++] = c;
      map1[i++] = '+'; map1[i++] = '/'; }

// Mapping table from Base64 characters to 6-bit nibbles.
private static final byte[] map2 = new byte[128];
   static {
      for (int i=0; isun.misc.BASE64Encoder.encodeBuffer(byte[]).
* @param in  An array containing the data bytes to be encoded.
* @return    A String containing the Base64 encoded data, broken into lines.
*/
public static String encodeLines (byte[] in) {
   return encodeLines(in, 0, in.length, 76, systemLineSeparator); }

/**
* Encodes a byte array into Base 64 format and breaks the output into lines.
* @param in            An array containing the data bytes to be encoded.
* @param iOff          Offset of the first byte in in to be processed.
* @param iLen          Number of bytes to be processed in in, starting at iOff.
* @param lineLen       Line length for the output data. Should be a multiple of 4.
* @param lineSeparator The line separator to be used to separate the output lines.
* @return              A String containing the Base64 encoded data, broken into lines.
*/
public static String encodeLines (byte[] in, int iOff, int iLen, int lineLen, String lineSeparator) {
   int blockLen = (lineLen*3) / 4;
   if (blockLen <= 0) throw new IllegalArgumentException();
   int lines = (iLen+blockLen-1) / blockLen;
   int bufLen = ((iLen+2)/3)*4 + lines*lineSeparator.length();
   StringBuilder buf = new StringBuilder(bufLen);
   int ip = 0;
   while (ip < iLen) {
      int l = Math.min(iLen-ip, blockLen);
      buf.append (encode(in, iOff+ip, l));
      buf.append (lineSeparator);
      ip += l; }
   return buf.toString(); }

/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in  An array containing the data bytes to be encoded.
* @return    A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in) {
   return encode(in, 0, in.length); }

/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in    An array containing the data bytes to be encoded.
* @param iLen  Number of bytes to process in in.
* @return      A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in, int iLen) {
   return encode(in, 0, iLen); }

/**
* Encodes a byte array into Base64 format.
* No blanks or line breaks are inserted in the output.
* @param in    An array containing the data bytes to be encoded.
* @param iOff  Offset of the first byte in in to be processed.
* @param iLen  Number of bytes to process in in, starting at iOff.
* @return      A character array containing the Base64 encoded data.
*/
public static char[] encode (byte[] in, int iOff, int iLen) {
   int oDataLen = (iLen*4+2)/3;       // output length without padding
   int oLen = ((iLen+2)/3)*4;         // output length including padding
   char[] out = new char[oLen];
   int ip = iOff;
   int iEnd = iOff + iLen;
   int op = 0;
   while (ip < iEnd) {
      int i0 = in[ip++] & 0xff;
      int i1 = ip < iEnd ? in[ip++] & 0xff : 0;
      int i2 = ip < iEnd ? in[ip++] & 0xff : 0;
      int o0 = i0 >>> 2;
      int o1 = ((i0 &   3) << 4) | (i1 >>> 4);
      int o2 = ((i1 & 0xf) << 2) | (i2 >>> 6);
      int o3 = i2 & 0x3F;
      out[op++] = map1[o0];
      out[op++] = map1[o1];
      out[op] = op < oDataLen ? map1[o2] : '='; op++;
      out[op] = op < oDataLen ? map1[o3] : '='; op++; }
   return out; }

/**
* Decodes a string from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param s  A Base64 String to be decoded.
* @return   A String containing the decoded data.
* @throws   IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static String decodeString (String s) {
   return new String(decode(s)); }

/**
* Decodes a byte array from Base64 format and ignores line separators, tabs and blanks.
* CR, LF, Tab and Space characters are ignored in the input data.
* This method is compatible with sun.misc.BASE64Decoder.decodeBuffer(String).
* @param s  A Base64 String to be decoded.
* @return   An array containing the decoded data bytes.
* @throws   IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decodeLines (String s) {
   char[] buf = new char[s.length()];
   int p = 0;
   for (int ip = 0; ip < s.length(); ip++) {
      char c = s.charAt(ip);
      if (c != ' ' && c != '\r' && c != '\n' && c != '\t')
         buf[p++] = c; }
   return decode(buf, 0, p); }

/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param s  A Base64 String to be decoded.
* @return   An array containing the decoded data bytes.
* @throws   IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (String s) {
   return decode(s.toCharArray()); }

/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param in  A character array containing the Base64 encoded data.
* @return    An array containing the decoded data bytes.
* @throws    IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (char[] in) {
   return decode(in, 0, in.length); }

/**
* Decodes a byte array from Base64 format.
* No blanks or line breaks are allowed within the Base64 encoded input data.
* @param in    A character array containing the Base64 encoded data.
* @param iOff  Offset of the first character in in to be processed.
* @param iLen  Number of characters to process in in, starting at iOff.
* @return      An array containing the decoded data bytes.
* @throws      IllegalArgumentException If the input is not valid Base64 encoded data.
*/
public static byte[] decode (char[] in, int iOff, int iLen) {
   if (iLen%4 != 0) throw new IllegalArgumentException ("Length of Base64 encoded input string is not a multiple of 4.");
   while (iLen > 0 && in[iOff+iLen-1] == '=') iLen--;
   int oLen = (iLen*3) / 4;
   byte[] out = new byte[oLen];
   int ip = iOff;
   int iEnd = iOff + iLen;
   int op = 0;
   while (ip < iEnd) {
      int i0 = in[ip++];
      int i1 = in[ip++];
      int i2 = ip < iEnd ? in[ip++] : 'A';
      int i3 = ip < iEnd ? in[ip++] : 'A';
      if (i0 > 127 || i1 > 127 || i2 > 127 || i3 > 127)
         throw new IllegalArgumentException ("Illegal character in Base64 encoded data.");
      int b0 = map2[i0];
      int b1 = map2[i1];
      int b2 = map2[i2];
      int b3 = map2[i3];
      if (b0 < 0 || b1 < 0 || b2 < 0 || b3 < 0)
         throw new IllegalArgumentException ("Illegal character in Base64 encoded data.");
      int o0 = ( b0       <<2) | (b1>>>4);
      int o1 = ((b1 & 0xf)<<4) | (b2>>>2);
      int o2 = ((b2 &   3)<<6) |  b3;
      out[op++] = (byte)o0;
      if (op

ExportPriv Class：

// How to export the private key from keystore?
// Does keytool not have an option to do so?
// This example use the "testkeys" file that comes with JSSE 1.0.3
// Alexey Zilber: Ported to work with Base64Coder: http://www.source-code.biz/snippets/java/2.htm
// $Id: ExportPriv.java 10 2011-09-30 17:28:32Z [email protected] $
// $URL: https://java-exportpriv.googlecode.com/svn/trunk/ExportPriv.java $

import java.security.cert.Certificate;
import java.security.*;
import java.io.File;
import java.io.FileInputStream;
import java.util.Vector;

class ExportPriv {
  public static void main(String args[]) throws Exception{
    if (args.length < 2) {
      //Yes I know this sucks (the password is visible to other users via ps
      // but this was a quick-n-dirty fix to export from a keystore to pkcs12
      // someday I may fix, but for now it'll have to do.
      System.err.println("Usage: java ExportPriv   ");
      System.exit(1);
    }
    ExportPriv myep = new ExportPriv();

    // System.out.println("Args: " + args[0] + " " + args[1] + " " + args[2]);
                

    myep.doit(args[0], args[1], args[2]);
  }

  public void doit(String fileName, String aliasName, String pass) throws Exception{

    KeyStore ks = KeyStore.getInstance("JKS");

    char[] passPhrase = pass.toCharArray();
    //BASE64Encoder myB64 = new BASE64Encoder();

    File certificateFile = new File(fileName);
    // System.out.println("certificateFile: " + certificateFile);

    ks.load(new FileInputStream(certificateFile), passPhrase);
    // System.out.println("ks: " + ks);
    // for(String a : ks.aliases()) {
    //   System.out.println("alias: " + a);
    // }

    KeyPair kp = getPrivateKey(ks, aliasName, passPhrase);
    // System.out.println("kp: " + kp);
    
    PrivateKey privKey = kp.getPrivate();

    char[] b64 = Base64Coder.encode(privKey.getEncoded());

    System.out.println("-----BEGIN PRIVATE KEY-----");
    for (String subSeq : splitArray(b64, 64)) {
        System.out.println(subSeq.toCharArray());
    }
    System.out.println("-----END PRIVATE KEY-----");
  }

// From http://javaalmanac.com/egs/java.security/GetKeyFromKs.html

  public KeyPair getPrivateKey(KeyStore keystore, String alias, char[] password) {
    try {
      // Get private key
      Key key = keystore.getKey(alias, password);
      if (key instanceof PrivateKey) {
        // Get certificate of public key
        Certificate cert = keystore.getCertificate(alias);

        // Get public key
        PublicKey publicKey = cert.getPublicKey();
    
        // Return a key pair
        return new KeyPair(publicKey, (PrivateKey)key);
      }
    } catch (UnrecoverableKeyException e) {
    } catch (NoSuchAlgorithmException e) {
    } catch (KeyStoreException e) {
    }
    return null;
  }

  private Vector splitArray(char[] chry, int subarrLen) {
    Vector result = new Vector();
    String input = new String(chry);
    int i = 0;
    while (i < chry.length) {
      result.add(input.substring(i, Math.min(input.length(), i + subarrLen)));
      i = i + subarrLen;
    }
    return result;
  }

}