=======================================================================
张贺，多年互联网行业事情经验，负担卖力过网络工程师、系统集成工程师、LINUX系统运维工程师
笔者微信：zhanghe15069028807,现居济南历下区
=======================================================================

nginx实现https

关于暗码学的内容我在这里不过多论述，这里面只上操纵法式，如果有兴趣的同学请参考我这一篇博文： https://www.cnblogs.com/yizhangheka/p/11038825.html

简单的理解，假如说A是CA,，B信任A，A给B公布了一个证书，C也是如此，也获得一个CA公布的证书；那么当B和C合作的时候，一方出示CA给的证书，另一方就能识别出来，并予以信任合作，其信任合作的前提是基于B和C对A的信任。

私有CA的IP 192.168.80.5
nginx的IP   192.168.80.20  
CA自签

生本钱身的私钥

[[email protected] ~]# cd /etc/pki/CA/ [[email protected] CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048) [[email protected] CA]# touch index.txt [[email protected] CA]# echo 01 > serial

生本钱身的证书

[[email protected] CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 7300 Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:bejing Locality Name (eg, city) [Default City]:bejing Organization Name (eg, company) [Default Company Ltd]:bejing Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []:ca.magedu.com Email Address []:[email protected]

nginx生成签署请求

生本钱身的私钥和密钥签署文件

[[email protected] ~]# cd /etc/nginx/ [[email protected] nginx]# clear [[email protected] nginx]# pwd /etc/nginx [[email protected] nginx]# openssl req -new -key nginx.key -out nginx.csr Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:bejing Locality Name (eg, city) [Default City]:bejing Organization Name (eg, company) [Default Company Ltd]:bejing Organizational Unit Name (eg, section) []:ops Common Name (eg, your name or your server's hostname) []: Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:

将密钥签署文件发送到CA上

[[email protected] nginx]# scp nginx.csr [email protected]:/root

CA签名

在私有CA上对nginx网站生成的签署请求进行签名，qq空间加密破解 ，并生成了一个签署好的证书文件：

openssl ca -in nginx.csr -out -days 365

将证书送给nginx处事器的/etc/nginx

scp [email protected]:/etc/nginx

Nginx导入证书 [[email protected] ~]# yum -y install mod_ssl vim /etc/nginx/nginx.conf server { listen 443 ssl; root /usr/share/nginx/html; include /etc/nginx/default.d/*.conf; server_name ; ssl on; ssl_certificate /etc/nginx/www.zhanghe.com.crt; ssl_certificate_key /etc/nginx/nginx.key; ssl_session_cache shared:sslcache:20m; } 客户端验证

在验证之要添加hosts记录，在访谒的时候必需通过域名访谒

curl --cacert cacert.pem https://www.zhanghe.com

nginx实现https