|
linux自建证书搭建https(单项加密)
搭建https有两种方式,分为单向认证和双向认证。单向认证就是传输的数据加密过了,但是不会校验客户端的来源,也就只有客户端验证服务端证书。
本次实验是搭建单向认证的https证书
1、 建立服务器私钥,生成RSA秘钥,过程中会输入密码(123456)
1.1、 创建存放ssl证书的路径
[root@localhost ~]# mkdir -p /home/ssl/certificate
[root@localhost ~]# cd /home/ssl/certificate
1.2、 创建私钥
[root@localhost certificate]# openssl genrsa -des3 -out server.key
2048 Generating RSA private key, 2048 bit long modulus
…+++
…+++ e is 65537 (0x10001) Enter pass phrase for
server.key: 123456 Verifying - Enter pass phrase for server.key:
123456
server.key 私钥名称
2048 加密程度
123456 个人理解,这个估计是对这个密码进行加密
2、 生成一个证书请求,需要输入私钥的密码
[root@localhost certificate]# openssl req -new -key server.key -out server.csr
server.csr Enter pass phrase for server.key: 123456 // 私钥密码 You are
about to be asked to enter information that will be incorporated into
your certificate request. What you are about to enter is what is
called a Distinguished Name or a DN. There are quite a few fields but
you can leave some blank For some fields there will be a default
value, If you enter ‘.’, the field will be left blank.
----- Country Name (2 letter code) [XX]:cn // 国家,只能输入两个字节 State or Province Name (full name) []:Fujian // 省份 Locality Name (eg, city)
[Default City]:Xiamen // 城市 Organization Name (eg, company)
[Default Company Ltd]:bcx // 公司 Organizational Unit Name (eg,
section) []:bcx // 组织 Common Name (eg, your name or your server’s
hostname) []: bcx // 名字或者主机名 Email Address []:2734542837@qq.com // 邮箱地址
Please enter the following ‘extra’ attributes to be sent with your
certificate request A challenge password []:123456 私钥密码
An optional company name []:bcx // 公司名称
3、 对私钥进行ssl加密
[root@localhost certificate]# cp server.key server.key.org
[root@localhost certificate]# openssl rsa -in server.key.org -out server.key
Enter pass phrase for server.key.org: writing RSA key
4、 生成签名证书
[root@localhost certificate]# openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok subject=/C=cn/ST=fujian/L=xiamen/O=bcx/OU=bcx/CN=bcx/emailAddress=2734542837@qq.com
Getting Private key Enter pass phrase for server.key:123456 // 私钥密码
-days 365 // 这很明显是证书有效时间
-out server.crt // server.crt 这个是证书名
5、查看一下生成了那些文件
[root@localhost certificate]# ll
-rw-r–r–. 1 root root 1257 3月 31 15:40 server.crt
-rw-r–r–. 1 root root 1090 3月 31 15:30 server.csr
-rw-r–r–. 1 root root 1679 3月 31 16:23 server.key
-rw-r–r–. 1 root root 1751 3月 31 16:21 server.key.org
6、 在nginx中部署证书
server {
listen 443 ssl;
server_name 192.168.44.140;
root /usr/share/nginx/html;
ssl_certificate /home/ssl/certificate/server.crt;
ssl_certificate_key /home/ssl/certificate/server.key;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ALL:!ADH:!EXPORT56:-RC4+RSA:+HIGH:+MEDIUM:!EXP;
ssl_prefer_server_ciphers on;
}
6、 访问测试
#到此自建证书就完成了,这是单项加密
|
站长QQ
发表于 2023-11-9 18:13:57
置顶卡
沉默卡
变色卡
楼主