|
|
1、制作ssl证书: L. a3 B+ f& o( ~, R! k
/ R! i3 S" i6 j4 T4 Z
# a+ a: r( ]% J/ C, S: O. _8 M. X' y3 I9 @# W
# cd /etc/pki/tls/certs2 V A. W7 ?% q- {
# make server.key' r& u$ {& C& N+ r. F4 p: j
umask 77 ; \2 X! B5 N; |' O) W
/usr/bin/openssl genrsa -aes128 2048 > server.key
& ^" e! j" d; `; C0 a5 B) vGenerating RSA private key, 2048 bit long modulus8 W v3 b7 V- U3 c" J* D; T
...* |- g0 d1 \8 |: K7 u
...
/ _6 D: f# x1 M9 V% R5 B- Me is 65537 (0x10001)( c- f4 v( |, V1 V+ j2 y- a) G
Enter pass phrase:# 输入密码
4 a; Y4 q2 s6 {- A( UVerifying - Enter pass phrase:#确认
* N% R8 b- p$ W) `# _ m8 e w P- |% P
# 从private key 中删除密码; j4 O2 }! l' S; d
# openssl rsa -in server.key -out server.key9 }# ]; q3 z9 I
Enter pass phrase for server.key:# input passphrase
7 C6 _- Q7 i% Y' ~ ?# Owriting RSA key; z+ k; [7 F" Q1 } R
. p3 m, H& C) w8 U' \8 T# make server.csr
$ T# {2 @8 l$ K yumask 77 ; \5 [% v2 S8 r4 r7 i
/usr/bin/openssl req -utf8 -new -key server.key -out server.csr
* x6 J% V" n7 iYou are about to be asked to enter information that will be incorporated
' s4 }/ p7 G# B9 |into your certificate request.
1 c& v% b& f( N! D9 G* \6 B3 LWhat you are about to enter is what is called a Distinguished Name or a DN.
% I% t6 i! B+ n. mThere are quite a few fields but you can leave some blank7 X" h* `" H: V& y
For some fields there will be a default value,
+ v; I: @% ]5 v2 |6 d" HIf you enter '.', the field will be left blank.) y* W3 b! d4 U" w) I
-----+ v$ U" h% A7 p$ u" X" d, H) s
Country Name (2 letter code) [XX]:CN# 国家
) f! f4 b2 O! Y) P; y4 x, xState or Province Name (full name) []:shanghai # 省
* l( u' o* G& `) x u TLocality Name (eg, city) [Default City]: shanghai # 市
" s* h4 e1 V" zOrganization Name (eg, company) [Default Company Ltd]:openstack # 公司
+ T+ r$ y, T8 X/ n/ \* SOrganizational Unit Name (eg, section) []:Server World # 部门9 [# y+ d5 L4 u# G2 o" `
Common Name (eg, your name or your server's hostname) []:www.srv.world # 主机名
1 k: w. B& g* ]3 dEmail Address []:xxx@srv.world # 邮箱( M% H9 i" `( i6 G; E3 E
Please enter the following 'extra' attributes( a8 [/ m8 j5 L- e
to be sent with your certificate request
" U; k2 }; |$ R! S) p: [( UA challenge password []:#回车! K( B# m) G+ }! g3 t9 x- ^) y
An optional company name []:# Enter
5 h, e9 Y6 {, a# l. F$ w! n( [1 X, @ q4 i( B
# openssl x509 -in server.csr -out server.crt -req -signkey server.key -days 3650& k9 r r" s8 A" f( V" |2 F1 ~
Signature ok
9 a m7 t0 y! S6 i0 Z& e9 e/ T. Zsubject=/C=CN/ST=shanghai/L=shanghai/O=openstack/OU=computer/CN=www.openstack.com/emailAddress=example@openstack.com$ w0 x+ \8 ?+ {8 w$ p( Y
Getting Private key1 T; S \: h. C: ?
0 ^' b* X4 H0 p8 X T$ J( ~+ |
2、修改配置文件 /etc/nginx/nginx.conf
. T0 w. g+ n! [* ?7 M' e
. H# [- v: a% t. C- P: }: `1 s5 j ?7 O
$ [" h v9 B' o
# 在"server" 章节加入
; M$ y; I* X. k server {, I3 L( {/ [" S3 y3 o2 j9 Y4 d& V
listen 80 default_server;
/ k/ c- v/ a# l! E* ?; m listen [::]:80 default_server;
' r; C, Q% K# F) H$ v0 O6 k8 I listen 443 ssl;, Q9 Z" D1 ?! p; I% O
server_name www.srv.world;
8 x3 ]* G* p' i0 `! R root /usr/share/nginx/html;% G/ \+ g. |- [
. ? m5 o* N7 p4 R" V! g/ M* P1 ` ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
' i8 a% Q5 ?9 O) h ssl_prefer_server_ciphers on;
; x% j" G- ~% d! s8 H ssl_ciphers ECDHE+RSAGCM:ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!aNULL!eNull:!EXPORT:!DES:!3DES:!MD5:!DSS;" P$ Z$ W" r# ~# {1 ?
ssl_certificate /etc/pki/tls/certs/server.crt;
6 c* a* O0 g" d4 V8 R ssl_certificate_key /etc/pki/tls/certs/server.key;
: s( j- y4 u0 j6 a9 `4、重启服务* O1 h: p b5 x3 C( r
) ~" x9 X6 \; V1 X) i& y
( { s2 V# I8 y0 |1 A6 C* a9 Z' Y, T4 ~" W! u' [
# systemctl restart nginx
' l, F$ E9 ?$ ^( x+ `2 g2 a% @
0 v, ?' Y# R1 ^( r/ k: K# W, C配置防火墙2 r2 M/ o! g# O" S, k
9 H- _+ i: }- C8 g
4 S p }- T. _4 G
* N4 d- ^5 U2 U0 @( u1 p2 z
# firewall-cmd --add-service=https --permanent
/ i9 I# y9 ]; a- ]! h# firewall-cmd --reload 0 n0 t# i% z( x7 ~: }3 v
" X) u5 n2 R: Z4 F, E$ V- D |
|
发表于 2018-9-26 10:19:07