Linux下自建单向证书搭建https服务器

前言

搭建https有两种方式，分为单向认证和双向认证。单向认证就是传输的数据加密过了，但是不会校验客户端的来源，也就只有客户端验证服务端证书。

生成单向证书

建立服务器私钥，生成RSA秘钥。过程中会要求输入密码，记住你输入的密码。

ubuntu@ip-172-31-23-98:~$ openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...................................................................................................................................................................+++
..+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
140204033578648:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:823:You must type in 4 to 1023 characters
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
ubuntu@ip-172-31-23-98:~$ ls
cointown  lian12.sql  redis-4.0.11  redis-4.0.11.tar.gz  server.key  sms-service-0.0.1-SNAPSHOT.jar  white.test.conf  x.sql

生成一个证书请求，涉及到密码就输入之前输入过的密码即可。

ubuntu@ip-172-31-23-98:~$ sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:cn
State or Province Name (full name) [Some-State]:cn
Locality Name (eg, city) []:beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:cn
Organizational Unit Name (eg, section) []:g
Common Name (e.g. server FQDN or YOUR name) []:yang
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:abcd
An optional company name []:cn
ubuntu@ip-172-31-23-98:~$ ls
cointown  lian12.sql  redis-4.0.11  redis-4.0.11.tar.gz  server.csr  server.key  sms-service-0.0.1-SNAPSHOT.jar  white.test.conf  x.sql

输入完这些内容，会生成一个server.csr文件，然后对秘钥进行ssl加密

ubuntu@ip-172-31-23-98:~$ cp server.key server.key.org
ubuntu@ip-172-31-23-98:~$ ls
cointown    redis-4.0.11         server.csr  server.key.org                  white.test.conf
lian12.sql  redis-4.0.11.tar.gz  server.key  sms-service-0.0.1-SNAPSHOT.jar  x.sql

ubuntu@ip-172-31-23-98:~$ openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org:
writing RSA key
ubuntu@ip-172-31-23-98:~$ ls
cointown    redis-4.0.11         server.csr  server.key.org                  white.test.conf
lian12.sql  redis-4.0.11.tar.gz  server.key  sms-service-0.0.1-SNAPSHOT.jar  x.sql

使用上面的秘钥和CSR对正式进行签名

ubuntu@ip-172-31-23-98:~$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=cn/L=beijing/O=cn/OU=g/CN=yang/[email protected]
Getting Private key
ubuntu@ip-172-31-23-98:~$ ls
cointown    redis-4.0.11         server.crt  server.key      sms-service-0.0.1-SNAPSHOT.jar  x.sql
lian12.sql  redis-4.0.11.tar.gz  server.csr  server.key.org  white.test.conf

这样证书就建好了，对了还需要将证书进行合并

ubuntu@ip-172-31-23-98:~$ cat server.key server.crt > server.pem
ubuntu@ip-172-31-23-98:~$ ls
cointown    redis-4.0.11         server.crt  server.key      server.pem                      white.test.conf
lian12.sql  redis-4.0.11.tar.gz  server.csr  server.key.org  sms-service-0.0.1-SNAPSHOT.jar  x.sql

就可以到nginx中去使用了

 ssl_certificate   cert/server.pem;
 ssl_certificate_key  cert/server.key;

注意：这样做完的证书，还需要将csr导入到浏览器中，才能使用，此处省略如何将证书导入浏览器。如果需要我写上步骤，请留言，我再添加上。