将cer格式证书转pem格式:
openssl x509 -inform der -in server.cer -out server-pem.pem
提取私钥:p12格式文件中提取私钥
openssl pkcs12 -nocerts -nodes -in server.p12 -out server.key
需要依赖openssl yum install -y openssl openssl-devel
[root@tlgakp1 rntibp]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
检查是否支持https_ssl_module:
[root@tlgakp1 nginx]# sbin/nginx -V nginx version: nginx/1.18.0 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) built with OpenSSL 1.0.2k-fips 26 Jan 2017 TLS SNI support enabled configure arguments: --prefix=/usr/local/nginx –with-http_ssl_module --with-stream
观察编译时是否带有“–with-http_ssl_module” 没有需要重新编译安装
生成没有加密得私钥:
openssl genrsa > nginx.key 2048
Generating RSA private key, 2048 bit long modulus
...............................................................................+++
...............+++
e is 65537 (0x10001)
[root@localhost openssl]
total 4
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key
根据私钥生成公钥:
openssl req -new -x509 -key nginx.key > nginx.pem
[root@localhost openssl]
total 4
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key
[root@localhost openssl]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
[root@localhost openssl]
total 8
-rw-r--r--. 1 root root 1679 May 17 16:56 nginx.key
-rw-r--r--. 1 root root 1220 May 17 17:22 nginx.pem
生成私钥和自签名的SSL证书:
生成加密私钥: 参数: genrsa:生成RSA私钥;-des3:des3算法;-out server.pass.key:生成的私钥文件名;2048:私钥长度
[root@localhost openssl]
Generating RSA private key, 2048 bit long modulus
.+++
.................................+++
e is 65537 (0x10001)
Enter pass phrase for server.pass.key:
Verifying - Enter pass phrase for server.pass.key:
去除私钥中的密码:
[root@localhost openssl]
Enter pass phrase for server.pass.key:
writing RSA key
[root@localhost openssl]# ll ser* -rw-r–r–. 1 root root 1679 May 17 17:26 server.key #无密码私钥 -rw-r–r–. 1 root root 1751 May 17 17:25 server.pass.key #有密码私钥
生成CSR(证书签名请求文件):
[root@localhost openssl]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
参数说明:
# -req 生成证书签名请求
# -new 新生成
# -key 私钥文件
# -out 生成的CSR文件
生成自签名的SSL证书:
[root@localhost openssl]# openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt Signature ok subject=/C=XX/L=Default City/O=Default Company Ltd Getting Private key
参数说明:
# -days 证书有效期
[root@localhost openssl]# ll ser* -rw-r–r–. 1 root root 1103 May 17 17:32 server.crt #自签名SSL证书 -rw-r–r–. 1 root root 952 May 17 17:29 server.csr #签名文件 -rw-r–r–. 1 root root 1679 May 17 17:26 server.key #无密码私钥 -rw-r–r–. 1 root root 1751 May 17 17:25 server.pass.key #有密码私钥
Nginx配置
https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate
server {
listen 9943 ssl; #https访问页面
server_name 192.168.100.83; #域名
ssl_certificate cert/nginx.pem; #pem格式证书 .pem .crt
ssl_certificate_key cert/nginx.key; #配置已签名的私钥
ssl_protocols SSLv3 TLSv1; # SSL协议
|