最新公告
  • 欢迎您光临都潮汇,本站秉承服务宗旨 履行“站长”责任,销售只是起点 服务永无止境!立即加入我们
  • 生成Nginx服务器SSL证书和客户端证书

    Nginx服务器SSL证书
    生成pass key

    下面的命令用于生成一个2048bit的pass key, -passout pass:111111 用于避免交互式输入密码

    [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:111111 -out server.pass.key 2048
    Generating RSA private key, 2048 bit long modulus
    ………..+++
    …………………+++
    e is 65537 (0x10001)

    生成key

    下面的命令用于生成私钥, -passin pass:111111是和pass key的密码对应的, 用于避免交互式输入密码

    [tomcat@a02 tmp]$ openssl rsa -passin pass:111111 -in server.pass.key -out server.key
    writing RSA key

    生成证书签发请求文件(CSR)

    下面的命令用于生成csr文件, 这里需要填写机构相关信息. 其中CN务必填写为对应的服务器域名. 最后那个challenge password, 是这个csr的password

    [tomcat@a02 tmp]$ openssl req -new -sha256 -key server.key -out server.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Chaoyang
    Organization Name (eg, company) [Default Company Ltd]:HenSomeone
    Organizational Unit Name (eg, section) []:iSomeone
    Common Name (eg, your name or your server’s hostname) []:internal.someone.com
    Email Address []:

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:222222
    An optional company name []:

    发送CSR文件给CA服务商签发证书

    如果是购买的CA服务商的SSL证书服务, 这一步把CSR发给服务商就可以了. 收到证书后将内容写入到 server.pem 文件

    在Nginx上这样配置

    server {
    listen      443;
    server_name  www.example.com;

    ssl                  on;
    ssl_certificate      /path/to/ssl/server.pem;
    ssl_certificate_key  /path/to/ssl/server.key;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_session_cache shared:ssl_www_example_com:5m;
    ssl_session_timeout  5m;
    ssl_ciphers ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:DES-CBC3-SHA;
    #…
    location / {
    #…
    }
    #…
    }

    制作自签名证书

    如果是打算制作自签名证书, 则进行如下的操作生成pem证书

    [tomcat@a02 tmp]$ openssl x509 -req -sha256 -days 3655 -in server.csr -signkey server.key -out server.pem
    Signature ok
    subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=iSomeone/CN=internal.someone.com
    Getting Private key

    Nginx客户端验证证书
    Nginx客户端验证证书和服务端SSL证书其实是没关系的, 你可以一边使用CA签发的证书, 一边使用自己制作的客户端验证证书.

    生成服务器端私钥

    [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out ca.pass.key 2048
    Generating RSA private key, 2048 bit long modulus
    …………………………………………………………………………………………………+++
    ……………………………..+++
    e is 65537 (0x10001)

    [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in ca.pass.key -out ca.key
    writing RSA key

    生成服务器端证书

    下面的命令会生成服务器证书ca.pem, 用于配制到nginx.

    [tomcat@a02 tmp]$ openssl req -new -x509 -days 3655 -key ca.key -out ca.pem
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Chaoyang
    Organization Name (eg, company) [Default Company Ltd]:HenSomeone
    Organizational Unit Name (eg, section) []:iSomeone
    Common Name (eg, your name or your server’s hostname) []:internal.someone.com
    Email Address []:

    生成客户端私钥

    [tomcat@a02 tmp]$ openssl genrsa -aes256 -passout pass:201906 -out client_01.pass.key 2048
    Generating RSA private key, 2048 bit long modulus
    ……………………..+++
    …..+++
    e is 65537 (0x10001)

    [tomcat@a02 tmp]$ openssl rsa -passin pass:201906 -in client_01.pass.key -out client_01.key
    writing RSA key

    生成客户端证书签发请求CSR

    [tomcat@a02 tmp]$ openssl req -new -key client_01.key -out client_01.csr
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter ‘.’, the field will be left blank.
    —–
    Country Name (2 letter code) [XX]:CN
    State or Province Name (full name) []:Beijing
    Locality Name (eg, city) [Default City]:Chaoyang
    Organization Name (eg, company) [Default Company Ltd]:HenSomeone
    Organizational Unit Name (eg, section) []:Staff
    Common Name (eg, your name or your server’s hostname) []:Staff
    Email Address []:

    Please enter the following ‘extra’ attributes
    to be sent with your certificate request
    A challenge password []:201907
    An optional company name []:

    签发客户端证书

    下面的命令, 用服务端的私钥和服务端的证书, 对客户端的CSR进行签发, 生成服务端证书. 这里有一个 -set_serial 01 的参数, 如果签发多个客户端证书, 这个数字不能重复

    [tomcat@a02 tmp]$ openssl x509 -req -days 3655 -in client_01.csr -CA ca.pem -CAkey ca.key -set_serial 01 -out client_01.pem
    Signature ok
    subject=/C=CN/ST=Beijing/L=Chaoyang/O=HenSomeone/OU=Staff/CN=Staff
    Getting CA Private Key

    客户端证书格式转换

    前面生成的证书, 不能直接用于常见的应用, 需要转换成应用需要的格式

    Full PEM:

    [tomcat@a02 tmp]$ cat client_01.key client_01.pem ca.pem > client_01.full.pem

    PFX – 这里输入的export password, 就是应用导入PFX证书时需要输入的密码.

    [tomcat@a02 tmp]$ openssl pkcs12 -export -out client_01.full.pfx -inkey client_01.key -in client_01.pem -certfile ca.pem
    Enter Export Password:
    Verifying – Enter Export Password:

    配置Nginx的客户端验证证书

    ssl_client_certificate /path/to/ca.pem;
    ssl_verify_client optional; # or `on` if you require client key

    本网站所有源码和软件均为作者提供和网友推荐收集整理而来!
    本站提供的所有模块、软件等资源,均不提供任何技术服务,请悉知!
    如您需要商用,请支持正版,本站提供的程序仅供学习和研究使用!
    资源每天实时更新,如遇压缩包解压密码,一律为:www.dch888.cn
    如有侵犯你版权的,请来信(邮箱:i@dch888.cn)指出,本站将立即改正。
    都潮汇 » 生成Nginx服务器SSL证书和客户端证书

    常见问题FAQ

    免费下载或者VIP会员专享资源能否直接商用?
    本站所有资源版权均属于原作者所有,这里所提供资源均只能用于参考学习用,请勿直接商用。若由于商用引起版权纠纷,一切责任均由使用者承担。更多说明请参考 VIP介绍。
    提示下载完但解压或打开不了?
    最常见的情况是下载不完整: 可对比下载完压缩包的与网盘上的容量,若小于网盘提示的容量则是这个原因。这是浏览器下载的bug,建议用百度网盘软件或迅雷下载。若排除这种情况,可在对应资源底部留言,或 联络我们.。
    找不到素材资源介绍文章里的示例图片?
    对于PPT,KEY,Mockups,APP,网页模版等类型的素材,文章内用于介绍的图片通常并不包含在对应可供下载素材包内。这些相关商业图片需另外购买,且本站不负责(也没有办法)找到出处。 同样地一些字体文件也是这种情况,但部分素材会在素材包内有一份字体下载链接清单。
    都潮汇
    互联网精品资源网站源码分享平台
    升级SVIP尊享更多特权立即升级