生成服務器祕鑰server_nopass.key,並獲取證書server.crt
- 生成服務器祕鑰:
openssl genrsa -des3 -out server.key 2048
- 去除祕鑰中密碼:
openssl rsa -in server.key -out server_nopass.key
- 生成CA根證書
openssl genrsa -des3 -out ca.key 2048
openssl req -sha256 -new -x509 -days 365 -key ca.key -out ca.crt \
-subj "/C=CN/ST=HZ/L=SZ/O=lee/OU=study/CN=XXX.COM"
- 生成服務器證書請求文件:
openssl req -new \
-sha256 \
-key server.key \
-subj "/C=CN/ST=HZ/L=SZ/O=lee/OU=study/CN=XXX.COM" \
-reqexts SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.xxx.com,DNS:*.yyy.com")) \
-out server.csr
5.CA簽署服務器證書:
openssl ca -in server.csr \
-md sha256 \
-keyfile ca.key \
-cert ca.crt \
-extensions SAN \
-config <(cat /etc/pki/tls/openssl.cnf \
<(printf "[SAN]\nsubjectAltName=DNS:*.xxx.com,DNS:*.yyy.com")) \
-out server.crt
Nginx Server中配置服務器祕鑰及證書
upstream xxx.com {
server 127.0.0.1:8001 weight=10 max_fails=2 fail_timeout=30s;
}
server {
listen 443;
server_name xxx.com;
ssl on;
ssl_certificate /xxx/server.crt;
ssl_certificate_key /xxx/server_nopass.key;
#ssl_client_certificate /root/ssl2/ca.crt;
#ssl_verify_client off;
ssl_session_timeout 5m;
ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;
rewrite ^(.*) http://$server_name$1 permanent;
access_log /xxx/xxx_access.log main;
error_log /xxx/xxx_error.log warn;
error_page 411 = @my_error;
location @my_error {
}
root /xxx/xxx.com/;
location / {
proxy_next_upstream http_500 http_502 http_503 http_504 error timeout invalid_header;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://xxx.com;
expires 0;
}
location /logs/ {
autoindex off;
deny all;
}
}