[网络协议] Nginx证书格式转换，证书配置生成pem(公钥)、key（私钥）、csr（签名文件）、crt（自签名SSL证书）

开发: C++知识库 Java知识库 JavaScript Python PHP知识库人工智能区块链大数据移动开发嵌入式开发工具数据结构与算法开发测试游戏开发网络协议系统运维
教程: HTML教程 CSS教程 JavaScript教程 Go语言教程 JQuery教程 VUE教程 VUE3教程 Bootstrap教程 SQL数据库教程 C语言教程 C++教程 Java教程 Python教程 Python3教程 C#教程
数码: 电脑笔记本显卡显示器固态硬盘硬盘耳机手机 iphone vivo oppo 小米华为单反装机图拉丁

-> 网络协议 -> Nginx证书格式转换，证书配置生成pem(公钥)、key（私钥）、csr（签名文件）、crt（自签名SSL证书） -> 正文阅读

[网络协议]Nginx证书格式转换，证书配置生成pem(公钥)、key（私钥）、csr（签名文件）、crt（自签名SSL证书）

将cer格式证书转pem格式：

openssl x509 -inform der -in server.cer -out server-pem.pem

提取私钥：p12格式文件中提取私钥

openssl pkcs12 -nocerts -nodes -in server.p12 -out server.key

需要依赖openssl
yum install -y openssl openssl-devel

[root@tlgakp1 rntibp]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017

检查是否支持https_ssl_module:

[root@tlgakp1 nginx]# sbin/nginx -V
nginx version: nginx/1.18.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx –with-http_ssl_module --with-stream

观察编译时是否带有“–with-http_ssl_module”
没有需要重新编译安装

生成没有加密得私钥：

 openssl genrsa > nginx.key 2048 
 Generating RSA private key, 2048 bit long modulus
...............................................................................+++
...............+++
e is 65537 (0x10001)
[root@localhost openssl]# ll
total 4
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key

根据私钥生成公钥：

openssl req -new -x509 -key nginx.key > nginx.pem

[root@localhost openssl]# ll
total 4
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key
[root@localhost openssl]# openssl req -new -x509 -key nginx.key > nginx.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@localhost openssl]# ll
total 8
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key
-rw-r--r--. 1 root root 1220 May 17 17:22 nginx.pem

生成私钥和自签名的SSL证书：

生成加密私钥:
参数： genrsa：生成RSA私钥；-des3：des3算法；-out server.pass.key：生成的私钥文件名；2048：私钥长度

[root@localhost openssl]# openssl genrsa -des3 -out server.pass.key 2048 
Generating RSA private key, 2048 bit long modulus
.+++
.................................+++
e is 65537 (0x10001)
Enter pass phrase for server.pass.key:   #输入四位以上密码
Verifying - Enter pass phrase for server.pass.key:   #再次输入

去除私钥中的密码:

[root@localhost openssl]#  openssl rsa -in server.pass.key -out server.key
Enter pass phrase for server.pass.key:        #输入私钥的密码
writing RSA key

[root@localhost openssl]# ll ser*
-rw-r–r–. 1 root root 1679 May 17 17:26 server.key #无密码私钥
-rw-r–r–. 1 root root 1751 May 17 17:25 server.pass.key #有密码私钥

生成CSR（证书签名请求文件）：

[root@localhost openssl]#  openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:              
An optional company name []:

#以上参数可不填，一直回车 也没有影响

参数说明：

# -req 生成证书签名请求   
# -new 新生成           
# -key 私钥文件               
# -out 生成的CSR文件

生成自签名的SSL证书：

[root@localhost openssl]# openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key

参数说明：							
 # -days 证书有效期

[root@localhost openssl]# ll ser*
-rw-r–r–. 1 root root 1103 May 17 17:32 server.crt #自签名SSL证书
-rw-r–r–. 1 root root 952 May 17 17:29 server.csr #签名文件
-rw-r–r–. 1 root root 1679 May 17 17:26 server.key #无密码私钥
-rw-r–r–. 1 root root 1751 May 17 17:25 server.pass.key #有密码私钥

Nginx配置

https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate

server {
        listen       9943 ssl;     #https访问页面
        server_name  192.168.100.83;         #域名
        ssl_certificate cert/nginx.pem;			#pem格式证书 .pem .crt
        ssl_certificate_key cert/nginx.key;	#配置已签名的私钥
        ssl_protocols SSLv3 TLSv1;			# SSL协议