1.下載NGINX源碼,下載並編譯
./configure --with-http_ssl_module --prefix=/home/damon/dev/3rd/sdk/x86/local_server/nginx --with-http_ssl_module --with-http_v2_module --with-debug
make install
配置https server
server {
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
server_name localhost;
ssl_certificate /home/damon/dev/tools/openssl/rootCA.pem;
ssl_certificate_key /home/damon/dev/tools/openssl/rootCA.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
本地證書的生成
生成本地根證書:
# 使用AES256-bit編碼加密生成4096位的根祕鑰
openssl genrsa -aes256 -out rootCA.key 4096
Enter pass phrase for rootCA.key: password
Verifying - Enter pass phrase for rootCA.key: password
# 使用根祕鑰生成根證書
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
Enter pass phrase for rootCA.key: password
You are about to be asked to enter information that will be incorporated
...
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Guangdong
Locality Name (eg, city) []:Shenzhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Dreaming.org
Organizational Unit Name (eg, section) []:Dreaming CA
Common Name (e.g. server FQDN or YOUR name) []:Dreaming ROOT CA
Email Address []:
Generating a RSA private key
#生成自籤祕鑰
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config server.csr.cnf
#生成自簽證書
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 600 -sha256 -extfile v3.ext
server.csr.cnf生成效果
[ req ]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
C = CN
ST = Beijing
L = Beijing
O = MyOrganization
OU = MyOrganizationUnit
emailAddress = [email protected]
CN = localhost
v3.ext生成效果
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
DNS.1=localhost
nginx服務器添加效果
server {
listen [::]:443 ssl http2 ipv6only=on;
listen 443 ssl http2;
server_name localhost;
ssl_certificate /home/damon/dev/tools/openssl/rootCA.pem;
ssl_certificate_key /home/damon/dev/tools/openssl/rootCA.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}