概述
傳統的每個SSL證書籤發,每個證書都需要獨立ip,假如你編譯openssl和nginx時候開啓TLS SNI (Server Name Identification) 支持,這樣你可以安裝多個SSL,綁定不同的域名,可以共享同一個ip。nginx支持TLS協議的SNI擴展(Server Name Indication,簡單地說這個擴展使得在同一個IP上可以以不同的證書serv不同的域名)
較早前唯一的辦法是簽署一個通配證書,即 CNAME 中爲 *.delphij.net 這樣的證書,即採用的是泛域名的形式進行綁定。
但是對於不是泛域名的證書無法實現一個IP綁定多個證書。 下面講到的TLS SNI技術可以實現一個IP綁定多個證書。
目的
使用https://ssl.15099.net和https://selfssl.15099.net 使用同一ip,可以配置https,測試環境:美國VPS+CentOS編譯openssl支持TLS SNI
cd /usr/src/wget http://www.openssl.org/source/openssl-0.9.8l.tar.gz
tar zxvf ./openssl-0.9.8l.tar.gz
cd ./openssl-0.9.8l
./config enable-tlsext
make
make install
cd ..
編譯nginx支持TLS SNI
cd /usr/src/wget http://nginx.org/download/nginx-0.7.67.tar.gz
tar zxvf nginx-0.7.67.tar.gz
cd nginx-0.7.67
./configure \
--prefix=/usr \
--sbin-path=/usr/sbin/nginx \
--conf-path=/etc/nginx/nginx.conf \
--error-log-path=/var/log/nginx/error.log \
--http-log-path=/var/log/nginx/access.log \
--pid-path=/var/run/nginx.pid \
--lock-path=/var/lock/nginx.lock \
--user=nobody\
--group=nobody\
--with-http_stub_status_module\
--with-http_ssl_module \
--with-http_flv_module \
--with-http_gzip_static_module \
--http-client-body-temp-path=/var/tmp/nginx/client_temp/ \
--http-proxy-temp-path=/var/tmp/nginx/proxy_temp/ \
--http-fastcgi-temp-path=/var/tmp/nginx/fcgi_temp/ \
--with-openssl=../openssl-0.9.8l/
make
make install
查看現在nginx是不是支持了TLS SNI
[root@www ~]# nginx -V
nginx version: nginx/0.7.67
built by gcc 4.1.2 20080704 (Red Hat 4.1.2-48)
TLS SNI support enabled
configure arguments: --prefix=/usr --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/lock/nginx.lock --user=nobody --group=nobody --with-http_stub_status_module --with-http_ssl_module --with-http_flv_module --with-http_gzip_static_module --http-client-body-temp-path=/var/tmp/nginx/client_temp/ --http-proxy-temp-path=/var/tmp/nginx/proxy_temp/ --http-fastcgi-temp-path=/var/tmp/nginx/fcgi_temp/ --with-openssl=../openssl-0.9.8l/
[root@www ~]#
生成自簽發的證書
ssl.15099.net證書籤發生成證書的簽發需要四個步驟:
ssl.15099.net.crt 自簽署的CA證書
ssl.15099.net.csr 證書籤名請求文件
ssl.15099.net.key 私鑰文件
ssl.15099.net_nopass.key 不需要密碼的私人鑰文件
cd /etc/nginx/
1. openssl genrsa -des3 -out ssl.15099.net.key 10242 .openssl req -new -key ssl.15099.net.key -out ssl.15099.net.csr
3. openssl rsa -in ssl.15099.net.key -out ssl.15099.net_nopass.key
4. openssl x509 -req -days 365 -in ssl.15099.net.csr -signkey ssl.15099.net.key -out ssl.15099.net.crt
生成
mkdir -p /usr/share/nginx/15099.net/ssl.15099.net
echo "selfssl test 1" > /usr/share/nginx/15099.net/ssl.15099.net/index.html
下面是上述命令的詳細輸出
[root@www nginx]# cd /etc/nginx/
[root@www nginx]# openssl genrsa -des3 -out ssl.15099.net.key 1024 #創建私鑰文件
Generating RSA private key, 1024 bit long modulus
.......................................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for ssl.15099.net.key: #輸入密碼
Verifying - Enter pass phrase for ssl.15099.net.key: #重複輸入密碼
Enter pass phrase for ssl.15099.net.key: #輸入剛纔設置的密碼
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [GB]:CN #國家
State or Province Name (full name) [Berkshire]:Guangdong #省份
Locality Name (eg, city) [Newbury]:Guangzhou #城市
Organization Name (eg, company) [My Company Ltd]:15099.NAT #組織機構或單位名稱
Organizational Unit Name (eg, section) []:15099.NET #部門
Common Name (eg, your name or your server's hostname) []:ssl.15099.net #域名,你需要綁定ssl的域名
Email Address []:[email protected] #郵箱,如何需要申請認證的證書,這個郵箱很重要。我這裏寫錯,是防止垃圾郵件
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: #直接按回車
An optional company name []: #直接按回車
[root@www nginx]# openssl rsa -in ssl.15099.net.key -out ssl.15099.net_nopass.key #生成不需要密碼的私人鑰文件
Enter pass phrase for ssl.15099.net.key: #輸入剛纔設置的密碼
writing RSA key
Signature ok
subject=/C=CN/ST=Guangdong/L=Guangzhou/O=15099.NAT/OU=15099.NET/CN=ssl.15099.net/[email protected]
Getting Private key
Enter pass phrase for ssl.15099.net.key:
[root@www nginx]#
相關備註:
在您生成CSR時,公用名(Common Name)是必須填寫的,公用名(Common Name) 是您的主機名+域名,比如:ssl.15099.net美國VPS服務器證書是頒發給某一臺主機的,而不是一個域,您的公用名(Common Name)必須與您要使用服務器證書的主機的全名完全相同,因爲www.domain.com與domain.com是不同的。
selfssl.15099.net證書籤發
cd /etc/nginx/
openssl genrsa -des3 -out selfssl.15099.net.key 1024
openssl req -new -key selfssl.15099.net.key -out selfssl.15099.net.csr
openssl rsa -in selfssl.15099.net.key -out selfssl.15099.net_nopass.key
openssl x509 -req -days 365 -in selfssl.15099.net.csr -signkey selfssl.15099.net.key -out selfssl.15099.net.crt
mkdir -p /usr/share/nginx/15099.net/selfssl.15099.net
echo "selfssl test 2" > /usr/share/nginx/15099.net/selfssl.15099.net/index.html
添加nginx虛擬主機 配置文件
vi /etc/nginx/conf.d/15099.net.conf內容如下:
server {
server_name ssl.15099.net;
listen 443;
index index.html index.htm index.php;
root /usr/share/nginx/15099.net/ssl.15099.net;
ssl on;
ssl_certificate ssl.15099.net.crt;(
ssl_certificate_key ssl.15099.net_nopass.key;
}
server {
server_name selfssl.15099.net;
listen 443;
index index.html index.htm index.php;
root /usr/share/nginx/15099.net/selfssl.15099.net;
ssl on;
ssl_certificate selfssl.15099.net.crt;
ssl_certificate_key selfssl.15099.net_nopass.key;
}
重啓nginx,就可以使用https://ssl.15099.net和https://selfssl.15099.net訪問了。