nginx生成自签名SSL证书配置HTTPS

一、安装nginx

nginx必须有"--with-http_ssl_module"模块
查看nginx安装的模块:
root@ecs-7398:/usr/local/nginx# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# ./sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module

二、创建证书

1、生成私钥

root@ecs-7398:~# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# mkdir key
root@ecs-7398:/usr/local/nginx# cd key/
root@ecs-7398:/usr/local/nginx/key# openssl genrsa -des3 -out server.key 2048          #使用ssl生成私钥名为 server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
......+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:                    #自定义密码:123456
Verifying - Enter pass phrase for server.key:          #确认密码:123456
root@ecs-7398:/usr/local/nginx# ls
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  server.key  uwsgi_temp
root@ecs-7398:/usr/local/nginx/key# cat server.key       #查看私钥内容
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4103533ED9B6ECD1

MAhsh46L3TsiCymB5pTA93lw/WZKzX/9iuzgM/OgG7U0cKHWdiLf907/52Ocp80e
bY/FKTADBcrEv2uFuke28WjdN2aQddiJGsP0CDLVKfv/kqEgvYuy2sIcoXcHV8fL
70vfaFuTa5CwxyIbRvfHFSpj39oC76eitx120x+KCkgWDkIaVGG9cP0TfmDnDOSe
fmpmZhqkkkP5dXuuPNItfumHHhZpjXqMr9oGxtENdMyNBrRywC8+NhRhO7iomZeP
tHiQpjQCrD8xkKcYqfKVCOS8KCXeKF1EylbJ89e2ZqgaujuKyC90raHpwga9MUSO
HNOT/U85zwsmqkh4/2Ox7AVLlNiG0+Rxt+IfWJb6xgT21SEfL/2vskNAkj2PN3J+
mpeSvpaKI1BsZ8LrpsqFNR0fDhIg+a5hzfSTlWouZcpePx7vB5qvKAvoSKrGmbDO
GQp4H24cSPAaQI6Wih+AxB8stfTCsBatJ5RwXgYNskumHL8KzpC9/Yj7QrLx3m3I
TBDlpOVU6tUYzMDVYDMGtTUhoPIdfVjaRz8BGWUFp0MM3Sx+rppPul1voSuVve5T
8uba4fqv+KIEQdR/PELB4N+ZgZiFP5HtoZN7mFWN6H/Ygm3GEgNeljiqypYQpZOd
dUIC/vhRsCuylww7Rh8LUtgnVAkJbyuqjA38wypATLKQFI1rwFzI9gCWwyz0SCNQ
tffBpZebLkG+H7GGfrTo+50TLDVetyQctbj2ibytpVKK4xE7oaMSZYqbfqg6OYCp
k2LhlWkKsDf7XhLbo5kP2UUfB7LSzx3JdRmA0Fw3GqEevFJysyJO2w==
-----END RSA PRIVATE KEY-----
root@ecs-7398:/usr/local/nginx/key# 

2、生成公钥

root@ecs-7398:/usr/local/nginx/key# openssl req -new -key server.key -out server.csr     #基于创建的server.key私钥创建server.csr公钥
Enter pass phrase for server.key:             #输入server.key的密码:123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN       #国家
State or Province Name (full name) [Some-State]:shanghai   #省市
Locality Name (eg, city) []:jiading     #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bai    #组织
Organizational Unit Name (eg, section) []:zr   #单位
Common Name (e.g. server FQDN or YOUR name) []:byc     #姓名
Email Address []:2123288207@qq.com   #邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456     #密码
An optional company name []:zr     #公司
root@ecs-7398:/usr/local/nginx/key# 

3、签名生成证书

root@ecs-7398:/usr/local/nginx/key# openssl rsa -in server.key -out server.key        #去除server.key认证,避免每次"nginx -t"时出现输入密码的情况
Enter pass phrase for server.key:          #密码:123456
writing RSA key
root@ecs-7398:/usr/local/nginx/key# 

root@ecs-7398:/usr/local/nginx/key# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#使用私钥和公钥生成server.crt签名证书,-days为3650天 -in指定公钥,-signkey指定私钥,生成的前面证书为server.crt
Signature ok
subject=C = CN, ST = shanghai, L = jiading, O = bai, OU = zr, CN = byc, emailAddress = 2123288207@qq.com
Getting Private key
root@ecs-7398:/usr/local/nginx/key#

三、配置证书并验证

root@ecs-7398:/usr/local/nginx/key# cd ..
root@ecs-7398:/usr/local/nginx# systemctl start nginx    #启动Nginx
root@ecs-7398:/usr/local/nginx# vim conf/nginx.conf     
#编辑nginx主配置文件将后面server的注释去掉

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /usr/local/nginx/key/server.crt;     ##证书路径
    ssl_certificate_key  /usr/local/nginx/key/server.key;  ##证书路径

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /usr/local/nginx/html/xiaomi;
        index  index.html index.htm;
    }
}

四、测试

root@ecs-7398:/usr/local/nginx# cd
root@ecs-7398:~# ls
nginx-1.20.2  nginx-1.20.2.tar.gz  小米官网.zip
root@ecs-7398:~# unzip 小米官网.zip -d /usr/local/nginx/html/xiaomi
root@ecs-7398:~# ls /usr/local/nginx/html/xiaomi/
css  iconfont  images  index.html

在浏览器访问https//xxx.xxx.xxx.xxx:443

相关推荐
earthzhang20216 小时前
《深入浅出HTTPS》读书笔记(5):随机数
网络协议·http·https
xiaoxiongip6667 小时前
HTTP 和 HTTPS
网络·爬虫·网络协议·tcp/ip·http·https·ip
JaneJiazhao7 小时前
HTTPSOK:SSL/TLS证书自动续期工具
服务器·网络协议·ssl
JaneJiazhao7 小时前
HTTPSOK:智能SSL证书管理的新选择
网络·网络协议·ssl
CXDNW7 小时前
【网络面试篇】HTTP(2)(笔记)——http、https、http1.1、http2.0
网络·笔记·http·面试·https·http2.0
ajsbxi7 小时前
苍穹外卖学习记录
java·笔记·后端·学习·nginx·spring·servlet
‍。。。10 小时前
使用Rust实现http/https正向代理
http·https·rust
JustCouvrir1 天前
macOS|前端工程部署到Nginx服务器
服务器·前端·nginx
AlbertS1 天前
使用 Let’s Encrypt 获取免费SSL证书
nginx·免费·centos7·ssl证书·let’s encrypt
航月1 天前
FTP、ISCSI、CHRONY、DNS、NFS、DOCKER、MARIADB、NGINX、PHP、CA各服务开启方法
nginx·docker·mariadb