- 积分
- 16843
在线时间 小时
最后登录1970-1-1
|
马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?开始注册
x
1、制作ssl证书8 j+ z& U1 f7 A$ D
5 C! q7 L$ W5 f6 J+ d( X( D' ?) L5 V$ H
- w G0 p5 S5 O
# cd /etc/pki/tls/certs7 a$ r8 J4 K2 W
# make server.key
! o& t- J a" }/ G) x- y5 l9 k/ E; ^umask 77 ; \
C% W" O% Z/ J" K2 h) F/usr/bin/openssl genrsa -aes128 2048 > server.key
/ x6 R( _: i' |& x% VGenerating RSA private key, 2048 bit long modulus% I& G+ N0 S! ^9 H& Y! w
...( `8 j1 q4 ]. K. N, y
...
5 ?+ _; U9 ~/ L* `# f# H: le is 65537 (0x10001)+ ~8 x5 s+ v; `' R
Enter pass phrase:# 输入密码
5 X4 i1 |! _: p+ U! _7 y1 l) dVerifying - Enter pass phrase:#确认4 k: x* u6 i1 `% V. ~4 U3 ~
! H8 @* @& U6 G$ Y, G7 W
# 从private key 中删除密码- K, b! }# Q9 [! x3 l: x1 c0 F% ^
# openssl rsa -in server.key -out server.key
$ g3 S! N/ P/ aEnter pass phrase for server.key:# input passphrase: \* U- W& X8 S) i
writing RSA key
7 F1 d! r% }+ d+ ]* ^/ h, w. m' N- L1 _
# make server.csr& o' x% x Y" U
umask 77 ; \
9 n& X0 y) T9 i% F8 i& i/usr/bin/openssl req -utf8 -new -key server.key -out server.csr+ I# |( ~: J2 n
You are about to be asked to enter information that will be incorporated
; }( c& H% B9 g$ N0 Kinto your certificate request.
# | s% n# v6 ?+ O4 uWhat you are about to enter is what is called a Distinguished Name or a DN.$ E3 f6 l4 F- W
There are quite a few fields but you can leave some blank
4 c3 w$ P6 F, u, C0 xFor some fields there will be a default value,' H p( k) z# H: ]' S# c
If you enter '.', the field will be left blank.3 U" G& a$ \: G" v
-----
1 ?6 M" A7 C% N# Z" z% e! j" W% A) xCountry Name (2 letter code) [XX]:CN# 国家
. ]# `, M e5 |0 | b6 K7 G1 H! e- hState or Province Name (full name) []:shanghai # 省& M6 A5 f, V; Z6 P
Locality Name (eg, city) [Default City]: shanghai # 市) b! v0 `. o4 r. |. ]& K/ o7 g7 _
Organization Name (eg, company) [Default Company Ltd]:openstack # 公司
! _& P4 d( r* a9 ]* i' ^Organizational Unit Name (eg, section) []:Server World # 部门7 a3 z- d, V8 l, u: k' i
Common Name (eg, your name or your server's hostname) []:www.srv.world # 主机名; j4 b; z! ~" w7 n5 Y) C
Email Address []:xxx@srv.world # 邮箱
! j; L8 n! s* j% Q0 ]* jPlease enter the following 'extra' attributes, C( I9 o) n' J- f: Y. f( A
to be sent with your certificate request
. K9 S- m% L6 `, Y7 X) }; _4 EA challenge password []:#回车
5 Y- h/ k: [9 M4 R6 qAn optional company name []:# Enter" K4 F$ B8 s# U, y/ l0 k' \) T
7 V: {) f- ]# p2 m- w3 D2 J
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650* l E/ b/ v; e0 z$ B/ K, \5 o) g
Signature ok
0 a. Z G3 B! C/ W$ \5 Z& a# Tsubject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com0 w9 i( Q% f( X; L+ C6 {8 h& z1 D, D
Getting Private key, t2 h4 V1 E1 {- d
8 Q3 H$ \% r! {2、修改配置文件 /etc/nginx/nginx.conf
4 o8 p0 x* L6 H' W( G
$ T. S0 W+ r1 t: b# ~5 G" y# w9 P' F, j/ |0 L/ r# z' r8 F S3 }
9 x9 I2 i! V; q" j# 在"server" 章节加入
3 ?0 ]5 P' P# t9 p) D+ J M# E, l server {6 m/ ]5 [6 r4 _
listen 80 default_server;
/ ~, n, E ~# T) [3 P) p5 H listen [::]:80 default_server;* ?( L& Z8 }: s% q9 p
listen 443 ssl;
/ ?! n/ u% c9 n9 @! x2 r server_name www.srv.world;
( B- o3 {5 I" y/ y$ b root /usr/share/nginx/html;/ o) |; G2 T+ \+ v- @/ K" V
0 A% ^4 W2 O: x) w
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;: w, V' u! c4 P- w% L8 c a
ssl_prefer_server_ciphers on;
; x1 @3 f" k% m' a/ }' |3 d. P- ^1 k ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;
' J# ?! ?9 z' y1 D. Q) a2 m$ x ssl_certificate /etc/pki/tls/certs/server.crt;
! ]4 F: Z( `; b8 X' N ssl_certificate_key /etc/pki/tls/certs/server.key;0 x9 S4 Y9 |( d% [2 d* I
4、重启服务* \3 _' v; y) b* U9 a
) \" b! n2 ?0 T
" }( u. f# K( u' J3 |0 g
' O. G8 z+ t* t4 K$ b8 B$ [# systemctl restart nginx
( x$ Z5 T3 C7 ]4 I. _5 A9 H- z e* o9 g
配置防火墙$ y; b) T* F+ W( S" @+ q/ p( {/ ^
' v {7 M5 H" @7 U1 [7 K
9 V4 Q- e: C9 i% P
M& a0 }/ O$ \8 d! {# firewall-cmd --add-service=https --permanent 5 f4 f" Y6 m" K; N" m3 o2 S* y
# firewall-cmd --reload
5 A" I: l' _! I& P8 h
6 Y8 V9 ?- q; V5 U- x |
|
/4 
|返回首页|Archiver|小黑屋|易陆发现技术论坛
( 蜀ICP备2026014127号-1 )
窥视卡
雷达卡
发表于 2018-9-26 10:19:07
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
照妖镜