生成自签证书,以及nginx - housekeeper-software/tech GitHub Wiki

参考

https://www.cnblogs.com/ximon/p/16020672.html
https://juejin.cn/post/7054482275211149349

一行命令创建自签证书

openssl req -newkey rsa:2048 -nodes -x509 -days 365 -keyout jingxi.key -out jingxi.crt -subj "/CN=<jingxi.com>" && sudo cat jingxi.crt jingxi.key >> jingxi.pem

备注

一般,简单起见,需要密码的地方我们将-passout pass:ssc82893388 设置为: -nodes, 表示密钥不需要密码

目录结构

/data/cert/ca:保存ca证书
/data/cert/server:保存服务器证书
/data/cert/client:保存客户端证书

生成CA证书

openssl req -newkey rsa:2048  -passout pass:ssc82893388 -keyout ca.key -x509 -days 3650 -out ca.crt -subj "/C=CN/ST=JS/L=NT/O=JINGXI/OU=R&D/CN=CA/[email protected]"

服务器证书

生成服务器证书

openssl req -newkey rsa:2048 -passout pass:ssc82893388 -keyout server.key  -out server.csr -subj "/C=CN/ST=JS/L=NT/O=JINGXI/OU=DEV/CN=CA/[email protected]"

证书签名

openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 3650 -in server.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -passin pass:ssc82893388 -CAcreateserial -out server.crt

生成无密码密钥

openssl rsa -in server.key -out server.unsecure.key

客户端证书

生成客户端证书

openssl req -newkey rsa:2048 -passout pass:ssc82893388 -keyout client.key -out client.csr -subj "/C=CN/ST=JS/L=NT/O=JINGXI/OU=DEV/CN=CA/[email protected]"

证书签名

openssl x509 -req -extfile /etc/ssl/openssl.cnf -extensions v3_req -days 3650 -in client.csr -CA ../ca/ca.crt -CAkey ../ca/ca.key -passin pass:ssc82893388 -CAcreateserial -out client.crt

生成免密密钥

openssl rsa -in client.key -out client.unsecure.key

nginx 配置

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;

	server {
		listen     443 ssl;
		server_name 192.168.180.6;
		ssl_certificate  /data/cert/server/server.crt;
		ssl_certificate_key /data/cert/server/server.unsecure.key;
  		ssl_client_certificate  /data/cert/ca/ca.crt; //如不验证客户端证书,此项屏蔽
                ssl_verify_client on;  //如不验证客户端证书,此项屏蔽
		ssl_session_timeout 5m;
                ssl_prefer_server_ciphers on;
                ssl_ciphers  HIGH:!aNULL:!MD5; 
                ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
		location / {
			proxy_pass http://192.168.180.6:9989; //跳到真正的服务器
		}
	}
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
⚠️ **GitHub.com Fallback** ⚠️