0%

https-自签名SSL证书

创建一个目录

1
2
3
cd /etc/nginx
mkdir cert
cd cert

生成密钥文件

  1. 创建key

    1
    openssl genrsa -des3 -out <domain>.origin.key 1024

    生成时需要输入一个密码,但是为了避免麻烦,我们需要把它删除

  2. 移除密码

    1
    openssl rsa -in <domain>.origin.key -out <domain>.key

生成证书请求

1
openssl req -new -key <domain>.key -out <domain>.csr

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter ‘.’, the field will be left blank.

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server’s hostname) []:
Email Address []:

Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

除了加粗的地方填写域名或ip,其它地方可以留空:

If you enter ‘.’, the field will be left blank.

生成CA证书

根据以上两个步骤生成的一个crt证书(巧了我有个同学的名字缩写就是crt

  • ssl.key
  • ssl.csr
1
2
openssl x509 -req -days 365 -in <domain>.csr -signkey <domain>.key -out <domain>.crt
openssl pkcs12 -export -clcerts -in mdmcp.njupt.edu.cn.crt -inkey mdmcp.njupt.edu.cn.key -out mdmcp.p12

配置nginx

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
# HTTPS server
server {
listen 443 ssl;
server_name <你的域名或ip>;

ssl_certificate ./cert/<domain>.crt;
ssl_certificate_key ./cert/<domain>.key;

ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;

ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
# ...
}
# 强制开启https
server {
if ($host = <你的域名或ip>) {
return 301 https://$host$request_uri;
}
listen 80 ;
listen [::]:80 ;
server_name <你的域名或ip>;
return 404;
}

安装证书

ssh.crt文件可以导出自行安装,也可以在浏览器请求后根据提示安装证书。因为自签名是不安全的,所以有警告很正常,继续访问即可。

自动脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."
openssl genrsa -des3 -out $DOMAIN.key 1024

echo "Remove password..."
mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key


echo "Create server certificate signing request..."
openssl req -new -key $DOMAIN.key -out $DOMAIN.csr


echo "Sign SSL certificate..."
openssl x509 -req -days 365 -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "sudo mv $DOMAIN.crt /etc/nginx/cert/$DOMAIN.crt"
echo "sudo mv $DOMAIN.key /etc/nginx/cert/$DOMAIN.key"
echo ""
echo "Add configuration in nginx:"
echo "server {"
echo " ..."
echo " listen 443 ssl;"
echo " ssl_certificate /etc/nginx/cert/$DOMAIN.crt;"
echo " ssl_certificate_key /etc/nginx/cert/$DOMAIN.key;"
echo "}"
-----------看到底线啦 感谢您的阅读-------------