1、创建CA私钥
# cd /etc/pki/CA
# (umask 077;openssl genrsa -out private/cakey.pem 2048)
# ls -l private/ 验证文件
2、创建自签证书
# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 3655
Country Name (2 letter code) [XX]:CH
State or Province Name (full name) []:NA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:Shengjing
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:ca.shengjing360.com
Email Address []:[email protected]
#[root@localhost CA]# ll
总用量 4
-rw-r--r--. 1 root root 1440 9月 5 11:08 cacert.pem
drwxr-xr-x. 2 root root 6 4月 11 12:58 certs
drwxr-xr-x. 2 root root 6 4月 11 12:58 crl
drwxr-xr-x. 2 root root 6 4月 11 12:58 newcerts
drwx------. 2 root root 23 9月 5 11:03 private
3、
[root@localhost CA]# touch serial index.txt
[root@localhost CA]# echo 01 > serial
4、创建私钥;
[root@localhost ssl]# (umask 077;openssl genrsa -out nginx.key 1024)
Generating RSA private key, 1024 bit long modulus
.........................................................................++++++
.++++++
e is 65537 (0x10001)
[root@localhost ssl]# ll
总用量 4
-rw-------. 1 root root 891 9月 5 11:14 nginx.key
5、
[root@localhost ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:HA
Locality Name (eg, city) [Default City]:ZZ
Organization Name (eg, company) [Default Company Ltd]:Shengjing
Organizational Unit Name (eg, section) []:Ops
Common Name (eg, your name or your server's hostname) []:www.shengjing360.com
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
6、
[root@localhost ssl]# openssl ca -in nginx.csr -out nginx.crt -days 3655
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Sep 5 03:21:29 2018 GMT
Not After : Sep 7 03:21:29 2028 GMT
Subject:
countryName = CH
stateOrProvinceName = NA
organizationName = Shengjing
organizationalUnitName = Ops
commonName = www.shengjing360.com
emailAddress = [email protected]
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
EC:DA:78:D4:01:F4:B0:40:73:CB:26:89:24:AD:82:12:4E:29:7A:E9
X509v3 Authority Key Identifier:
keyid:4B:87:90:9C:39:D8:0A:27:68:00:AF:06:82:2A:1F:B4:60:26:C8:95
Certificate is to be certified until Sep 7 03:21:29 2028 GMT (3655 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
7、Nginx 支持ssl配置,且反代192.168.102.44:80端口;
server {
listen 443;
server_name www.shengjing360.com;
ssl on;
# root /usr/share/nginx/html;
#
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
proxy_pass http://192.168.102.44:80;
}
}