0
点赞
收藏
分享

微信扫一扫

Nginx架构篇(23)私有CA

止止_8fc8 2022-06-11 阅读 73

CA 证书颁发机构(CA, Certificate Authority)

基于https的协议工作的一中虚拟主机,要构建这样的网站需要mod_ssl模块的支持。且需要提供两个文件:证书文件和私钥文件,证书文件是标识这个网站服务器身份的,私钥文件主要用来实现在服务器端对数据进行加密,然后在网站中传输的。证书在生产生活中需要到对应的机构去申请,在实验环境中本应该搭建一台证书服务器,


1、生成证书及秘钥文件   

1)准备存放证书和秘钥的目录
mkdir -p /etc/nginx/ssl

2)生成私钥
openssl genrsa 1024 > /etc/nginx/ssl/server.key
Generating RSA private key, 1024 bit long modulus
...............................................................++++++
................................................................++++++
e is 65537 (0x10001)

3) 使用秘钥文件生成证书-申请书
openssl req -new -key /etc/nginx/ssl/server.key > /etc/nginx/ssl/server.csr

Country Name (2 letter code) [XX]:CN ###国家名(两个字
State or Province Name (full name) []:BJ ###省会(两个字
Locality Name (eg, city) [Default City]:BJ ###城市
Organization Name (eg, company) [Default Company Ltd]::qf ###组织名 (千锋QF
Organizational Unit Name (eg, section) []:cloud ##组织单位名
Common Name (eg, your name or your server's hostname) []:nginx.linux.com ##服务器的名字或者你的名字
Email Address []:12345678@qq.com ###可选
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: ###密码为空
An optional company name []: ####密码为空
Common Name (eg, your name or your server's hostname) []: ###公司名空

查看申请书
ls /etc/nginx/ssl/
server.csr (证书申请) server.key (私钥)

4)同意申请,生成证书
openssl req -x509 -days 365 -key /etc/nginx/ssl/server.key -in /etc/nginx/ssl/server.csr > /etc/nginx/ssl/server.crt
-x509:证书的格式,固定的
days:证书的有效期,生产生活中时间不同,价格不同
key:指定秘钥文件
in:指定证书申请文件

查看证书
ll /etc/nginx/ssl/
-rw-r--r--. 1 root root 920 Jun 11 16:22 server.crt 证书文件
-rw-r--r--. 1 root root 627 Jun 11 16:19 server.csr 申请书。可以销毁
-rw-r--r--. 1 root root 887 Jun 11 16:18 server.key 私钥文件


2、私有CA的https部署

1、创建目录 
mkdir /bj
echo "bj ssl web" > /bj/index.html

2、编辑nginx.conf文件
vim /etc/nginx/conf.d/bj.conf

server {
listen 443 ssl;
server_name www.bj.com;

ssl_certificate /etc/nginx/ssl/server.crt; ##路径自定义
ssl_certificate_key /etc/nginx/ssl/server.key;

location / {
root /bj;
index index.html index.htm;
}
}


nginx -s reload
ss -antp | grep nginx

3、测试访问

​​https://www.bj.com​​

风险提示

Nginx架构篇(23)私有CA_nginx

Nginx架构篇(23)私有CA_nginx_02



公网CA

ll /etc/nginx/214194377980730.*
-rw-r--r-- 1 root root 1679 May 11 14:41 /etc/nginx/214194377980730.key
-rw-r--r-- 1 root root 3916 May 11 14:41 /etc/nginx/214194377980730.pem



cat /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name www.111.top ;
return 301 https://www.111.top$request_uri;
# rewrite .* https://www.111.top$request_uri permanent;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/214194377980730.pem;
ssl_certificate_key /etc/nginx/214194377980730.key;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
}


systemctl restart nginx


ll /etc/nginx/214194377980730.*
-rw-r--r-- 1 root root 1679 May 11 14:41 /etc/nginx/214194377980730.key
-rw-r--r-- 1 root root 3916 May 11 14:41 /etc/nginx/214194377980730.pem


cat /etc/nginx/conf.d/default.conf
server {
listen 80;
server_name www.111.top ;
return 301 https://www.111.top$request_uri;
# rewrite .* https://www.111.top$request_uri permanent;
}
server {
listen 443 ssl;
ssl on;
ssl_certificate /etc/nginx/214194377980730.pem;
ssl_certificate_key /etc/nginx/214194377980730.key;
location / {
root /usr/share/nginx/html;
index index.html index.php;
}
}


systemctl restart nginx





举报

相关推荐

0 条评论