CA認證

nginx下證書配置

nginx 下 配 置 CA 認 證

 

為nginx配置https並自簽名證書   開啟443端口

 

實驗環境： centos6.5    192.168.16.14

 

[root@localhost nginx]# rpm -qa | grep openssl

openssl-devel-1.0.1e-15.el6.x86_64

openssl-1.0.1e-15.el6.x86_64

 

一.准備證書

1.制作CA證書

ca.key CA私鑰：

步驟與 使用OpenSSL自簽發服務器https證書所述大同小異。在這里再重復一次。

[root@localhost zhengshu]# pwd

/root/zhengshu

[root@localhost zhengshu]# openssl genrsa -des3 -out ca.key 2048    //制作ca.key 私鑰

Generating RSA private key, 2048 bit long modulus

...............................+++

............................................................................................................+++

e is 65537 (0x10001)

Enter pass phrase for ca.key:         //輸入ca.key私鑰  tfo0zQ1JiP3PeZQVAzMy

Verifying - Enter pass phrase for ca.key:    //再次輸入ca.key私鑰    tfo0zQ1JiP3PeZQVAzMy

 

制作解密后的CA私鑰（一般無此必要）：

[root@localhost zhengshu]# openssl rsa -in ca.key -out ca_decrypted.key

Enter pass phrase for ca.key:         //輸入ca.key私鑰    tfo0zQ1JiP3PeZQVAzMy

writing RSA key

[root@localhost zhengshu]# ls

ca_decrypted.key  ca.key           //解密后的ca私鑰和ca私鑰

 

 

ca.crt CA根證書（公鑰）：

[root@localhost zhengshu]# openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

Enter pass phrase for ca.key:         //輸入ca.key私鑰    tfo0zQ1JiP3PeZQVAzMy  

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:             //輸入一個國家的名字，兩字母代碼  可為空

State or Province Name (full name) []:        //州或省名稱 ，全名   可為空

Locality Name (eg, city) [Default City]:        //地區名稱，如城市  可為空

Organization Name (eg, company) [Default Company Ltd]:           //組織名稱，默認有限公司 可為空

Organizational Unit Name (eg, section) []:       //組織單元名稱 ，可為空            

Common Name (eg, your name or your server's hostname) []:www.amber.com      //常見的名字(例如你的名字或你的服務器的主機名），輸入該網址的域名，必填

Email Address []:       //郵件地址，可為空

[root@localhost zhengshu]# ls

ca.crt  ca_decrypted.key  ca.key           //ca公鑰

 

 

2、制作生成網站的證書並用CA簽名認證，在這里，假設網站域名為www.amber.com

生成www.amber.comt證書私鑰：

[root@localhost zhengshu]# openssl genrsa -des3 -out www.amber.com.pem 1024

Generating RSA private key, 1024 bit long modulus

..............................++++++

......++++++

e is 65537 (0x10001)

Enter pass phrase for www.amber.com.pem:    //輸入www.amber.com.pem口令   8BZNTubqWA3Y6A1aVJyW

Verifying - Enter pass phrase for www.amber.com.pem:     //再次輸入www.amber.com.pem  口令    8BZNTubqWA3Y6A1aVJyW

 

 

制作解密后的www.amber.oom證書私鑰：

[root@localhost zhengshu]# openssl rsa -in www.amber.com.pem -out www.amber.com.key

Enter pass phrase for www.amber.com.pem:  //輸入www.amber.com.pem口令   8BZNTubqWA3Y6A1aVJyW

writing RSA key

[root@localhost zhengshu]# ls     //解密后的wwwamber.com.key證書私鑰

ca.crt  ca_decrypted.key  ca.key www.amber.com.key  www.amber.com.pem

 

 

生成簽名請求：

[root@localhost zhengshu]# openssl req -new -key www.amber.com.pem -out www.amber.com.csr

Enter pass phrase for www.amber.com.pem:     //輸入www.amber.com.pem 口令   8BZNTubqWA3Y6A1aVJyW

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [XX]:     //輸入一個國家的名字，兩字母代碼  可為空

State or Province Name (full name) []:       //州或省名稱 ，全名   可為空

Locality Name (eg, city) [Default City]:      //地區名稱，如城市  可為空

Organization Name (eg, company) [Default Company Ltd]:         //組織名稱，默認有限公司 可為空

Organizational Unit Name (eg, section) []:        //組織單元名稱 ，可為空  

Common Name (eg, your name or your server's hostname) []: www.amber.com    //常見的名字(例如你的名字或你的服務器的主機名），輸入該網址的域名，必填

Email Address []:  //郵件地址，可為空

 

Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []: tutRLJVpkCXlfBJqtZDh   //輸入密碼

An optional company name []: ZX    //輸入一個公司的名稱

 

注：在common name中填入網站域名，如blog.creke.net即可生成改站點的證書，同時也可以使用泛域名如*.creke.net來生成所有二級域名可用的網站證書

 

 

 

用CA進行簽名：

[root@localhost zhengshu]# openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in www.amber.com.csr -out www.amber.com.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:       //輸入ca私鑰   tfo0zQ1JiP3PeZQVAzMy

/etc/pki/CA/index.txt: No such file or directory

unable to open '/etc/pki/CA/index.txt'    //報錯，不能打開這個目錄..

140576737036104:error:02001002:system library:fopen:No such file or directory:bss_file.c:398:fopen('/etc/pki/CA/index.txt','r')

140576737036104:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:400:

 

注；其中，policy參數允許簽名的CA和網站證書可以有不同的國家、地名等信息，days參數則是簽名時限

 

報錯解決方法：

如果在執行簽名命令時，出現“I am unable to access the ../../CA/newcerts directory”

修改/etc/pki/tls/openssl.cnf中“dir = ./CA”

[root@localhost zhengshu]# vim /etc/pki/tls/openssl.cnf

42 dir             = ./CA 

 

然后：

mkdir -p CA/newcerts

touch CA/index.txt

touch CA/serial

echo "01" > CA/serial

 

[root@localhost zhengshu]# mkdir -p CA/newcerts

[root@localhost zhengshu]# touch CA/index.txt

[root@localhost zhengshu]# touch CA/serial

[root@localhost zhengshu]# echo "01" > CA/serial

再重新執行簽名命令。

[root@localhost zhengshu]# openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in www.amber.com.csr -out www.amber.com.crt

Using configuration from /etc/pki/tls/openssl.cnf

Enter pass phrase for ca.key:    //輸入ca私鑰   tfo0zQ1JiP3PeZQVAzMy   

Check that the request matches the signature

Signature ok

Certificate Details:

        Serial Number: 1 (0x1)

        Validity

            Not Before: Sep  2 23:37:46 2016 GMT

            Not After : Sep  1 23:37:46 2020 GMT

        Subject:

            countryName               = XX

            localityName              = Default City

            organizationName          = Default Company Ltd

            commonName                = www.amber.com

        X509v3 extensions:

            X509v3 Basic Constraints:

                CA:FALSE

            Netscape Comment:

                OpenSSL Generated Certificate

            X509v3 Subject Key Identifier:

                F6:B5:02:33:26:4A:CA:80:C0:01:D8:35:E3:B5:66:27:3A:07:9F:D0

            X509v3 Authority Key Identifier:

                keyid:EE:81:07:70:D2:11:40:FC:0E:FE:8D:F0:31:91:58:AC:89:3D:0E:DF

 

Certificate is to be certified until Sep  1 23:37:46 2020 GMT (1460 days)

Sign the certificate? [y/n]:y

 

 

1 out of 1 certificate requests certified, commit? [y/n]y

Write out database with 1 new entries

Data Base Updated

 

 

最后，把ca.crt的內容粘貼到www.amber.com.crt后面。這個比較重要！因為不這樣做，可能會有某些瀏覽器不支持

[root@localhost zhengshu]# cat ca.crt >> www.amber.com.crt

 

好了，現在https需要到的網站私鑰www.amber.com.key和網站證書www.amber.com.crt都准備完畢。接下來開始配置服務端。

 

 

二.配置nginx服務端

源碼包安裝nginx服務器

卸載rpm包安裝的apache服務  ，可省略次步驟

[root@localhost zhengshu]# rpm -q httpd

package httpd is not installed

[root@localhost zhengshu]# rpm -e httpd --nodeps

[root@localhost zhengshu]# netstat -anpt | grep 80

 

安裝nginx支持軟件：

[root@localhost ~]# yum -y install pcre-devel zlib-devel gcc gcc-c++ make

[root@localhost ~]# rpm -q  pcre-devel zlib-devel gcc gcc-c++ make

pcre-devel-7.8-6.el6.x86_64

zlib-devel-1.2.3-29.el6.x86_64

gcc-4.4.7-4.el6.x86_64

gcc-c++-4.4.7-4.el6.x86_64

make-3.81-20.el6.x86_64

[root@localhost ~]# yum -y install pcre-devel zlib-devel

[root@localhost ~]# rpm -q  pcre-devel zlib-devel

pcre-devel-7.8-6.el6.x86_64

zlib-devel-1.2.3-29.el6.x86_64

 

創建運行用戶，組：

[root@localhost ~]# useradd -M -s /sbin/nologin nginx

 

編譯安裝nginx：

[root@localhost soft]# pwd

/root/soft

[root@localhost soft]# ls

nginx-1.6.0.tar.gz

[root@localhost soft]# tar xf nginx-1.6.0.tar.gz -C /usr/src

[root@localhost soft]# cd /usr/src/nginx-1.6.0/

[root@localhost nginx-1.6.0]# ls

auto  CHANGES  CHANGES.ru  conf  configure  contrib  html  LICENSE  man  README  src

[root@localhost nginx-1.6.0]# ./configure --prefix=/usr/local/nginx --user=nginx --group=nginx --with-http_stub_status_module --with-http_ssl_module && make && make install    ///安裝ssl模塊

 

 

為程序nginx創建連接文件：

[root@localhost nginx-1.6.0]# ls /usr/local/nginx/

conf  html  logs  sbin

[root@localhost nginx-1.6.0]# ln -s /usr/local/nginx/sbin/nginx /usr/local/sbin/

[root@localhost nginx-1.6.0]# ll /usr/local/sbin/

總用量 0

lrwxrwxrwx 1 root root 27 9月   3 08:04 nginx -> /usr/local/nginx/sbin/nginx

[root@localhost nginx-1.6.0]# nginx -t          //檢測nginx語法

nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok

nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

[root@localhost nginx-1.6.0]# nginx   //啟動nginx 服務

[root@localhost nginx-1.6.0]# netstat -anpt | grep nginx

tcp        0      0 0.0.0.0:80                  0.0.0.0:*                   LISTEN      5797/nginx  

 

 

在server{}段中設置：

[root@localhost conf]# cp nginx.conf nginx.conf.bak

[root@localhost conf]# vim nginx.conf

35     server {

36         listen       192.168.16.14:443;

37         ssl on;

38         ssl_certificate /usr/local/nginx/conf/www.amber.com.crt;       //密鑰存放的路徑

39         ssl_certificate_key /usr/local/nginx/conf/www.amber.com.key;     //密鑰存放的路徑

40         server_name  www.amber.com;     //網站域名

41        

 

 

[root@localhost ~]# cp zhengshu/* /usr/local/nginx/conf/        //把密鑰都拷到/usr/local/nginx/conf/ 目錄下

cp: 略過目錄"zhengshu/CA"

 

nginx其他配置修改:

[root@localhost conf]# vim nginx.conf

 

  1

  2 user  nginx nginx;     //nginx程序賬戶及程序組

  3 worker_processes  2;   //指定要開啟的進程，每個進程要消耗10M-20M內存，cpu要是多核，建議指定與cpu一樣多的核數

  4

  5 #error_log  logs/error.log;

  6 #error_log  logs/error.log  notice;

  7 error_log  logs/error.log  info;   //錯誤日志記錄級別

  8

  9 pid        logs/nginx.pid;    //指定pid存儲位置

10

11

12 events {

13    use epoll;   nginx的工作模式

14     worker_connections  1024;

15 }

16

17

18 http {

19     include       mime.types;

20     default_type  application/octet-stream;

21

22    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '

23                       '$status $body_bytes_sent "$http_referer" '

24                       '"$http_user_agent" "$http_x_forwarded_for"';

25

26    access_log  logs/access.log  main;  //客戶端訪問日志記錄位置

27

28     sendfile        on;   //開啟文件上傳下載功能

29     #tcp_nopush     on;

30

31     #keepalive_timeout  0;

32     keepalive_timeout  65;   //連接保持超時時間

33

34     gzip  on;   //開啟網頁壓縮功能

35

36     server {

37         listen       192.168.16.14:443;  網站綁定443端口號

38          ssl on;

39          ssl_certificate /usr/local/nginx/conf/www.amber.com.crt;

40          ssl_certificate_key /usr/local/nginx/conf/www.amber.com.key;

41         server_name  www.amber.com;   //虛擬主機綁定的域名

42

43         charset koi8-r;   //默認字符集

44

45         access_log  logs/host.access.log  main;   //虛擬主機訪問日志記錄

46

47         location / {

48             root   html;     //網站根目錄位置

49             index  index.html index.htm;    //默認首頁地址

50         }

51

52         #error_page  404              /404.html;

53

54         # redirect server error pages to the static page /50x.html

55         #

56         error_page   500 502 503 504  /50x.html;

57         location = /50x.html {

58             root   html;

59         }

60    }

61 }

 

[root@localhost conf]# killall -3 nginx    //關閉nginx服務

[root@localhost conf]# nginx    //啟動nginx服務

[root@localhost conf]# netstat -anpt | grep nginx     //查看nginx端口號

tcp        0      0 192.168.16.14:443           0.0.0.0:*                   LISTEN      5815/nginx

 

 

瀏覽器訪問：

 

 

點擊記錄瀏覽此網站

 

用域名www.amber.com訪問：

[root@localhost conf]# vim /etc/hosts

 

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4

::1         localhost localhost.localdomain localhost6 localhost6.localdomain6

192.168.16.14   www.amber.com

 

並且修改windows下hosts文件，添加ip地址與域名