SSL自签名证书
为什么要使用 SSL 证书?
HTTP协议无法加密数据,数据传输可能产生泄露、篡改或钓鱼攻击等问题,而启用HTTPS后,可帮助Web服务器和网站间建立可信的HTTPS协议加密链接,为网站安全加锁,保证数据安全传输。
安装 openssl(已安装就跳过)
shell
# 1. 打开网址: https://slproweb.com/products/Win32OpenSSL.html
# 2.下载exe
# Win64 OpenSSL vx.x.x Light 安装Win64 OpenSSL 包含常用的软件包
# Win64 OpenSSL vx.x.x 安装Win64 OpenSSL 完整软件包
# Win32 OpenSSL vx.x.x Light 安装Win32 OpenSSL 包含常用的软件包
# Win32 OpenSSL vx.x.x 安装Win32 OpenSSL 完整软件包
# 3. 安装应用,注意有个步骤要选择不要安装到系统目录下
# 4. 安装完成后,把 xx:\xxx\OpenSSL-Win64\bin 安装目录添加到环境变量中,方便使用
# 5. 打开shell命令测试 openssl versionNginx实现自签名SSL证书生成与配置
2.1名词介绍
key 私钥 = 明文--自己生成(genrsa )
csr 公钥 = 由私钥生成
crt 证书 = 公钥 + 签名(自签名或者由CA签名)
证书:server.crt文件就是证书
签名:使用私钥key与公钥csr进行证书server.crt生成的过程称为签名
2.2生成私钥
创建ssl目录,后面存证书和密钥
shell
cd /
mkdir ssl
cd ssl使用ssl生成私钥名为 private.key
shell
openssl genrsa -des3 -out private.key 2048plaintext
[root@use ssl]# openssl genrsa -des3 -out private.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..................................................+++++
.......+++++
e is 65537 (0x010001)
Enter pass phrase for private.key: (设置一个密码)
Verifying - Enter pass phrase for private.key: (确认密码)2.3生成公钥
基于创建的private.key私钥创建server.csr公钥
shell
openssl req -new -key private.key -out server.csr执行结果如下
plaintext
[root@iZ2vchf1q4xtxy45ga1kigZ ssl]# openssl req -new -key private.key -out server.csr
Enter pass phrase for private.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN (国籍,填CN)
State or Province Name (full name) []:(省)
Locality Name (eg, city) [Default City]:(城市)
Organization Name (eg, company) [Default Company Ltd]:(组织名称)
Organizational Unit Name (eg, section) []:(组织单位)
Common Name (eg, your name or your server's hostname) []:(公共名称,随便填)
Email Address []:(邮箱)
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:(设置密码)
An optional company name []:(公司名称)查看私钥加密的内容
shell
openssl req -text -in server.csr -noout输出如下:
plaintext
[root@adf ssl]# openssl req -text -in server.csr -noout
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CN, ST = sichuan, L = chengdu, O = qwe, OU = qwe, CN = ggg, emailAddress = 123123@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (2048 bit)
Modulus:
00:b8:ba:3a:d2:2c:77:fc:2a:f8:c4:86:7a:09:74:
d4:fe:60:46:7d:1a:43:10:39:c7:b5:9d:d6
18:44:df:98:ee:b3:1f:40:1f
Exponent: 65537 (0x10001)
Attributes:
unstructuredName :xxxx
challengePassword :密码
Signature Algorithm: sha256WithRSAEncryption
a3:7b:a0:20:dd:cd:f7:1c:6e:a8:2e:84:2b:b3:b9:86:b4:55:
31:632.4生成解密的私钥key
基于private.key私钥生成private.key.unsecure的解密私钥
shell
openssl rsa -in private.key -out private.key.unsecure签名生成证书
签名
方法一
使用解密私钥和公钥生成server.crt签名证书,-days为365天 -in指定公钥,-signkey指定解密后的私钥,生成的前面证书为server.crt
shell
openssl x509 -req -days 365 -in server.csr -signkey private.key.unsecure -out server.crt签名方法二
使用私钥和公钥生成server.crt签名证书,-days为365天 -in指定公钥,-signkey指定私钥,生成的前面证书为server.crt
shell
# 需要输入密码,私钥密码为上面设置的
openssl x509 -req -days 365 -in server.csr -signkey private.key -out server.crt查看证书的内容
server.crt内容
shell
openssl x509 -text -in server.crt -noout
# 或者
# openssl -text -in server.crt -nooutNginx 中使用
编辑nginx主配置文件
shell
vim /etc/nginx/nginx.conf文件末尾添加内容如下: 创建一个新的server模块,注意要在http模块里面,listen表示监听端口,server_name写主机地址或localhost都可以,ssl_certificate是签名证书的路径,ssl_certificate_key是私钥的路径,本文私钥路径写了解密后的私钥,写加密时的私钥有报错
txt
server {
# 监听端口
listen 443 ssl ;
# 域名或IP地址
server_name localhost ;
# 签名证书的路径
ssl_certificate "/ssl/server.crt";
# 私钥的路径, 本文私钥路径写了解密后的私钥
ssl_certificate_key "/ssl/private.key.unsecure";
}重启nginx到浏览器上访问验证
shell
systemctl start nginx