nginx支持 https 是一个很简单的事情,首先服务器上得已安装openssl.然后执行以下命令创建一个有效期10年,RSA2048加密的SSL密钥key nginx.key和X509证书nginx.crt。
不过这种并不是权威的第三方认可的签名证书哈,只是用于一些临时有需要的地方使用,但在过一些等级要求高的评审中是不能用的。步骤如下:
sudo mkdir /etc/https
sudo openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout /etc/https/nginx.key -out /etc/https/nginx.crt
openssl req的各参数解释如下:
where options are
-inform arg input format - DER or PEM
-outform arg output format - DER or PEM
-in arg input file
-out arg output file
-text text form of request
-pubkey output public key
-noout do not output REQ
-verify verify signature on REQ
-modulus RSA modulus
-nodes don't encrypt the output key
-engine e use engine e, possibly a hardware device
-subject output the request's subject
-passin private key password source
-key file use the private key contained in file
-keyform arg key file format
-keyout arg file to send the key to
-rand file:file:...
load the file (or the files in the directory) into
the random number generator
-newkey rsa:bits generate a new RSA key of 'bits' in size
-newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'
-newkey ec:file generate a new EC key, parameters taken from CA in 'file'
-[digest] Digest to sign with (see openssl dgst -h for list)
-config file request template file.
-subj arg set or modify request subject
-multivalue-rdn enable support for multivalued RDNs
-new new request.
-batch do not ask anything during request generation
-x509 output a x509 structure instead of a cert. req.
-days number of days a certificate generated by -x509 is valid for.
-set_serial serial number to use for a certificate generated by -x509.
-newhdr output "NEW" in the header lines
-asn1-kludge Output the 'request' in a format that is wrong but some CA's
have been reported as requiring
-extensions .. specify certificate extension section (override value in config file)
-reqexts .. specify request extension section (override value in config file)
-utf8 input characters are UTF8 (default ASCII)
-nameopt arg - various certificate name options
-reqopt arg - various request text options
执行的时候会问你很多问题,如下,可以不填,也可以随便填写,但有一项Common Name 要注意填写真实的域名:
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:Beijing
#以下这项一定要注意,填写你的域名
Common Name (eg, your name or your server's hostname) []:www.04007.cn
Email Address []:11111111@qq.com
完成以后就生成了nginx.key和nginx.crt两个文件,此时再修改nginx的配置文件,添加server,其它的和http一样的,重启nginx即可。
server
{
listen 443 ssl;
server_name www.*****.cn;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
....
}
publish:May 9, 2018 -Wednesday
精彩链接
发表评论