OpenSSL生成證書
- 創建Key
- 創建簽名請求(CSR)
- 移除口令
- 簽署證書(或發給CA機構認證)
# Generate an RSA key
openssl genrsa -des3 -out Server.key 1024
# Creating Certificate Signing Requests
# 需要輸入組織信息,留空輸入點(.),而非直接回車(用缺省值)
openssl req -new -key Server.key -out Cert.csr
# 移除口令
cp Server.key Server.key.org
openssl rsa -in Server.key.org -out Server.key
# Signing Your Own Certificates
openssl x509 -req -days 365 -in Cert.csr -signkey Server.key -out Cert.crt
Nginx SSL配置
確保http_ssl_module已安裝。
否則會報錯:nginx: [emerg] the “ssl” parameter requires ngx_http_ssl_module
$ sudo nginx -V
nginx version: nginx/1.16.1
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-36) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --with-http_stub_status_module --with-http_ssl_module
加ssl配置。
sudo vi /usr/local/nginx/conf/nginx.conf
listen 443 ssl;
server_name 192.168.1.88;
ssl_certificate /usr/local/nginx/conf/Cert.crt;
ssl_certificate_key /usr/local/nginx/conf/Server.key;
開443端口
sudo firewall-cmd --list-all
sudo firewall-cmd --zone=public --add-port=443/tcp --permanent
sudo firewall-cmd --zone=public --remove-port=443/tcp --permanent
sudo firewall-cmd --reload
測試
提示是一個有問題的證書(因爲是自己簽名的)。
https://192.168.1.88
參考
https://www.feistyduck.com/library/openssl-cookbook/online/ch-openssl.html
https://nginx.org/en/docs/http/ngx_http_ssl_module.html