一、客户有证书提供
客户有证书的,或者有域名申请了免费证书的,直接根据下面的第5步骤,配置nginx即可。
二、 自己生成证书
1. 安装openssl-Win64 OpenSSL v3.1.1 Light
附下载地址 Win32/Win64 OpenSSL Installer for Windows - Shining Light Productions
配置环境变量:
变量名:OPENSSL_HOME
具体路径根据情况配置。
将%OPENSSL_HOME%\bin加入至PATH中。
2.创建root CA私钥
以下ca.key 与 ca.crt的路径需要自行修改
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt
执行步骤返回如下:
需要填写一些信息
C:\Users\Administrator>openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\ca.key -x509 -days 365 -out D:\pis-win64\ssl\ca.crt
Generating a 4096 bit RSA private key
.............................................++
.............................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bowo
Organizational Unit Name (eg, section) []:bowo
Common Name (e.g. server FQDN or YOUR name) []:bowo
Email Address []:xxxx@126.com
3. 为服务端(web)生成证书签名请求文件
以下192.168.168.5.key 与192.168.168.5.csr的路径需要自行修改
openssl req -newkey rsa:4096 -nodes -sha256 -keyout D:\pis-win64\ssl\192.168.168.5.key -out D:\pis-win64\ssl\192.168.168.5.csr
执行步骤返回如下:
需要填写一些信息,且需要注意,本次填写的内容中 Common Name一定要是你要授予证书的FQDN域名或主机名,并且不能与生成root CA设置的Commone Name相同
Generating a 4096 bit RSA private key
....................................................................++
....................................................................++
writing new private key to '192.168.168.5.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:ShenZhen
Locality Name (eg, city) []:ShenZhen
Organization Name (eg, company) [Internet Widgits Pty Ltd]:BOWO
Organizational Unit Name (eg, section) []:BOWO
Common Name (e.g. server FQDN or YOUR name) []:192.168.168.5
Email Address []:xxxx@126.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:附属属性修改密码,可以不填
An optional company name []:附属属性另一个公司名称,可以不填
4.用步骤2创建的root CA证书给步骤3生成的签名请求进行签名
4.1 先创建一个extfile.cnf文件,文件内容是你要用来访问的IP,即主机IP
文件内容如下:
subjectAltName = IP:192.168.168.5
主机有多个网卡可以用以下配置
subjectAltName = IP:192.168.168.5,IP:10.33.180.100
4.2 执行语句,进行签名
路径需要自行修改
openssl x509 -req -days 365 -in D:\pis-win64\ssl\192.168.168.5.csr -CA D:\pis-win64\ssl\ca.crt -CAkey D:\pis-win64\ssl\ca.key -CAcreateserial -extfile D:\pis-win64\ssl\extfile.cnf -out D:\pis-win64\ssl\192.168.5.5.crt
执行步骤返回如下:
Signature ok
subject=/C=CN/ST=ShenZhen/L=ShenZhen/O=RANCHER/OU=BOWO/CN=192.168.168.5/emailAddress=xxxx@126.com
Getting CA Private Key
5.配置nginx
将https模块打开,ssl_certificate 和 ssl_certificate_key 配上生成的crt与key即可。
# HTTPS server
#
server {
listen 13901 ssl;
server_name 192.168.168.5;
ssl_certificate D:/LIMS/pis-win64/ssl/192.168.5.5.crt;
ssl_certificate_key D:/LIMS/pis-win64/ssl/192.168.168.5.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}