1. 下載 nginx windows 版本,位置: http://nginx.org/download/nginx-1.16.1.zip
2. 下載後解壓到 C:\ 根目錄,目錄名 nginx-1.16.1
3. 解壓完成直接點擊啓動 nginx.exe 程序即可,這時候在瀏覽器輸入 http://localhost/ 就會看到 nginx的歡迎頁面;
4. 安裝openssl windows版本,位置:http://slproweb.com/download/Win64OpenSSL_Light-1_1_1g.msi
5. 下載後會自動安裝到 C:\OpenSSL-Win64 目錄;
6. 添加 C:\OpenSSL-Win64, C:\nginx-1.16.1 到環境變量 PATH 路徑;
7. 在C:\nginx-1.16.1目錄下創建ssl目錄,以後自簽名證書存到這個目錄;
8. 啓動 cmd 命令行程序,切到 C:\nginx-1.16.1\ssl 目錄,開始創建證書。
基本思路是先創建服務器私鑰,再創建CSR文件,最後用私鑰簽發CSR文件得到服務器公鑰證書。
C:\nginx-1.16.1\ssl>openssl genrsa -des3 -out server.key 2048 創建服務器私鑰
Generating RSA private key, 2048 bit long modulus (2 primes)
...............+++++
.........................................................................+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
C:\nginx-1.16.1\ssl>openssl req -new -key server.key -out server.csr 創建CSR證書請求文件
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:Shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:XXXXX
Organizational Unit Name (eg, section) []:Software
Common Name (e.g. server FQDN or YOUR name) []:YYYY
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
C:\nginx-1.16.1\ssl>copy server.key server.key.orig 備份有祕密的私鑰文件
已複製 1 個文件。
C:\nginx-1.16.1\ssl>openssl rsa -in server.key -out server.key 去掉私鑰文件的密碼
Enter pass phrase for server.key:
writing RSA key
C:\nginx-1.16.1\ssl>openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt 使用服務器私鑰簽署服務器公鑰證書
Signature ok
subject=C = CN, ST = Shanghai, L = Shanghai, O = Intel, OU = Software, CN = server1
Getting Private key
9. 部署自簽證書到nginx服務器
用記事本編輯 C:\nginx-1.16.1\conf\nginx.conf文件,向文件末尾追加 https 服務器配置:
# HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
ssl_certificate C://nginx-1.16.1//ssl//server.crt;
ssl_certificate_key C://nginx-1.16.1//ssl//server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
10. 重啓 nginx 然後在瀏覽器輸入 https://localhost 看看
nginx -s reload
看到下面頁面,說明自簽證書配置成功了,因爲是自簽證書,瀏覽器認爲不安全。