在实际应用中,通常是向知名的的CA提交证书申请来申请证书,但某些情况下出于成本的考虑,也可以自己制作证书。这里,我们先创建一个私有的CA根证书,模拟官方的CA,对用户提交的SSL证书进行签名,因此,生成证书的过程分为两部:1)创建CA根证书,2)创建nginx 的SSL证书
关于CA证书(来自百度百科):
CA 也拥有一个证书(内含公钥和私钥)。网上的公众用户通过验证 CA 的签字从而信任 CA ,任何人都可以得到 CA 的证书(含公钥),用以验证它所签发的证书。
如果用户想得到一份属于自己的证书,他应先向 CA 提出申请。在 CA 判明申请者的身份后,便为他分配一个公钥,并且 CA 将该公钥与申请者的身份信息绑在一起,并为之签字后,便形成证书发给申请者。
如果一个用户想鉴别另一个证书的真伪,他就用 CA 的公钥对那个证书上的签字进行验证,一旦验证通过,该证书就被认为是有效的。证书实际是由证书签证机关(CA)签发的对用户的公钥的认证。
证书的内容包括:电子签证机关的信息、公钥用户信息、公钥、权威机构的签字和有效期等等。目前,证书的格式和验证方法普遍遵循X.509 国际标准。
默认情况下,在CentOS6.5上,OpenSLL是已经安装好的
1. 根据/etc/pki/tls/openssl.cnf配置信息,在/etc/pki/目录下创建index.txt文件
生成CA证书
2. 生成rsa根密钥对
查看一下文件内容
[root@localhost private]# cat rootKey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAxl7AZiR6n1HW90vkKOmghhRpShiH+Cqtd8MkOa0b6h8er5zN
0pAXqO6rUGYVYjISEZb7yIna5ecG0rlmZMxNwOWPJiV3q4a28CFkXpvCIRRvGuGt
PdZCpIJ8cqerjH0zVVsiSl+OeMegLshkCjRfN8PgD+uHUFaWZBNwfP1hqeshZvDk
xqAzYmbiHZejy6PEmIr36ByBe9NiItuGJ0TFThcof9rdueQRal9fZO2O08ihTO3n
Cg4nxgVQh7LhOyxG/6Mt+iUxasDDUQlbxk2gFoO3EhiCl3NIxXt45OTEtlAXcxa1
54iLw8nRuGUfTjuyqf7vmzzluzFwxyp+60PI3wIDAQABAoIBAAEqU1UGR9Yhw/KF
9pwq6y9+dTPjOwFBNu2qLs9L7gsNDcAYWrku8YSjikwZnWyLQMHrsiT2clvBZK/e
OPTEonxMnO+rbq2KSA7XE2De52AMX663vq3LUW7n+VUvGPnlTmTk+SmYsByTh6Re
tv+8WQbZ1rohNxVIvO9vkcyaLHW0EkNDQVpIwzrO6IjM6vKycsNQ9dmLHY0/3T1Y
dvjgtuD/F9iuGayna8Sbv+Lt5bu7MR3xudMsTA1JSApiDb7GU9cmWu2ziVNg+FnT
ZK3wFyq0jiR1aJLshjEWufEF9S4f3LAq07dtZkLTRXpVgT8WI07IFKvHgsHjoqjY
KlJ5R2ECgYEA5QPJxnllBheYWNJU8vRsDMB1uZDUSdOHD24NBQh4zGSDW5fG82/c
aubKh8qaW48xSW2o++hJQeAXejnbHPIbGLwrOA+kKJXgFFJHrrzIeRF2/aUKpsFh
4YQABBK2cGK5x6AyG3p1hHmCNk/831dIrnd5U6DQYJ4LRRxI49ly+9ECgYEA3b6R
w4MDpUQQzU+dSggoyJ+/W0Nbb+8raoEjZ6AAqfo4JNQqSYnM2wY6vza6fVKaxNS8
GGoqe8kdfsF6ly8WF1afI8JMfJYtVLMfwsKGaaYmF9ZpmR8lRkQySxi7KQ0TcbdJ
wCiCR6OxIVJ50TE1P24blWwBxgL0mbpKjgLJla8CgYAKv7bEvgXj10+rO5QJIze/
EXl1EDsmi+sW6k9qIQ+qaD1SGzmXS3TI/7QZ04STL5FcpOz9hdWKZf40GmsSXLqw
2oQcyX8m+IHf8kyzAuFV7V/sX8a0NPdnIk7t4gL2G2wk1nwDlifV4+4cpnxz7yDW
L31eU3n0Tvawc7doGlivQQKBgQCjkYqGdONAiof2Wu8EiCZFb4lBMduGIx+cjavn
KaCzwc6eZB7ZZhvFyL+XAzDndwKRhPdG7zFtZDosoV3jnaknCA+V2iJ/mGvR2dvo
14M89YGN/eyhNddSEMYknRaaPnoEXRa692a6n6XulZ8kT68engMc4rIgNVfm+gM6
5BV9IwKBgQDGeMlFf7kwWxNzhcO6bCv/GNkFJLXqg9R7jAElBvaRVlzcS1eciNf3
5llPYju1YPJtOpQw73x0lNy9fA9opeB+QUV62owf7Bb2k8niK80rbqUfWBBgaHSP
QHovzlV6Wx5jkE+yU3rTXzLAmg2Jpcy4dkjEbB/JdbnRiNCjjX+hcw==
-----END RSA PRIVATE KEY-----
3. 生成根证书(用来对后续证书申请进行签名)
查看一下文件内容
[root@localhost private]# cat rootReq.pem
-----BEGIN CERTIFICATE-----
MIIDVzCCAj+gAwIBAgIJAMDqSttv4oGTMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNV
BAYTAkNOMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQg
Q29tcGFueSBMdGQwHhcNMTYwMTE4MTAzNzQxWhcNMTYwMjE3MTAzNzQxWjBCMQsw
CQYDVQQGEwJDTjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZh
dWx0IENvbXBhbnkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
xl7AZiR6n1HW90vkKOmghhRpShiH+Cqtd8MkOa0b6h8er5zN0pAXqO6rUGYVYjIS
EZb7yIna5ecG0rlmZMxNwOWPJiV3q4a28CFkXpvCIRRvGuGtPdZCpIJ8cqerjH0z
VVsiSl+OeMegLshkCjRfN8PgD+uHUFaWZBNwfP1hqeshZvDkxqAzYmbiHZejy6PE
mIr36ByBe9NiItuGJ0TFThcof9rdueQRal9fZO2O08ihTO3nCg4nxgVQh7LhOyxG
/6Mt+iUxasDDUQlbxk2gFoO3EhiCl3NIxXt45OTEtlAXcxa154iLw8nRuGUfTjuy
qf7vmzzluzFwxyp+60PI3wIDAQABo1AwTjAdBgNVHQ4EFgQUfSkeLmCXyxLtPxD0
DdqQrDXj7zcwHwYDVR0jBBgwFoAUfSkeLmCXyxLtPxD0DdqQrDXj7zcwDAYDVR0T
BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAMsr3noTAgG1HxKan8VhIF63afMlF
f9xsUawY0mo3zXXFdQMTJ9Y/VkAwP8f2hXB+3qngfqXiNPY36ZtxudxeabXCMiCN
3wndIzDOrVHZMutwKpl9gpvOpBzKEcVHA5LezyzLLIc92cXbPzHMAapX7eZbTjlS
3h12E3HB0rZjoDbBrETdwz3FO/JpAXLHABlGMB595YJmhRmJeqSjU7Cyg5dTbryi
abBskrdqrpgJdRmow2Qdlvxt1nrpEkFPtu9Add5jhNCVozyHRzpM9RLETQRmD89+
0ru5l3GmfbYTl/jorpZ449hHriUjLZGobPfcYKLz++ZLTCHgxome0mk4VA==
-----END CERTIFICATE-----
生成个人证书
4. 为nginx生成密钥
查看密钥内容
[root@localhost private]# cat nginx.key
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAwAPKfWtkZxRH77UMCjPiDpt/rrwDjWXVRR3YOLc/KF5zoZux
ZWw9Fm0xbHgfR6H956zVoPc8gwDUmy6e1NqOrPHb4baIbOpXuB2tZrEtIyf0EF1C
2rO8bGyoChy7rTbU2KcDFXfUA/jb1KzSn04KFPmsnarRGSDkcERir9E4geGZa+cM
ctrEXCi9MQw5XtUs7FpiqX2SDFtui62gaht6HvMwxyqm7sGNfL3WYPWMwFylsKNi
mitNlcAOGL/U7usH4PVRcukYH3DCgqd3TklwrdNtnbdhOqjdoBIvTY3IOxUP+9kb
ZufEcCXkBabHw+j04/TlI2S6INC4KFoOadPVqwIDAQABAoIBAHFMS1jB21ZvQxsP
yvDiOErCOg7SZY4zPiowN/sPNTcOtE/xXDUqLsli2LzWDC7qSLVA6DS4bX4nKUv/
sDyMUY9+jm2alNkfVW8QI9bqSGXsFzjorp/5Wf7oBichWSQVrHXB5jHuqK1HU/8j
kovpMk26HL5TolmfbOtJjqmLXDpV6nD+iKCMu7xLat5OBlX7NbkkJDqIeR0d+iRI
9bcvSa/rXlfVJCgqivsnkbq4iUQtdLPFzZQqxNMfDVSU3GPmOVpxOkas3e9EpS+u
4afil2M6XyDfIkN90TWT5OQ1RFESF95NhT6EqhOlVjP0MRgcTLXcH1hSLtV7Zfw7
9IIfacECgYEA9fXlDw/U66qR7VixElJLdnS23ZtTA1m2cWD+64rhg5kZKNy1cD2n
hW0UndxEPpyl2HjPg6xpp13kp95vJlaN4tA05rg3IRO/xtbIIM0InFQfMc+tHMzG
Kw8IzsukrzoDpkqk6orJxuaTtqp2jtMggPxYTl04ce+3X6YC6yi8MDsCgYEAx9o0
FIKlDvVpRWFtJEuC8u7k+9DYluVwp7nJ9HbBGa5R8i5AVQsC8jd/S9xDA55ksW6S
mcnVWB1gmzsbulWQElpB8P/J1Ug8MB0hA4y7G5+xiyHSladp8SF0LtDwwqLIFQt0
EJRyxuSTNf5YX4VGu5K1sp2KtCeoPOfaisrbiVECgYBNJoVkFRY3mfhOF8zrL08m
Z/PYTVlbqq9UnxU3MwgL7GD89UYgX+aFLrMR1T6+2QoYfcSxy8oUSppnoZkB0JKO
+7osSMpaIMS+DS8XQtkZmDV0vWzSpNTgOsYLf8s3f54XckCKpWAneLoKySuJH2aJ
rx3P7uO+sW+2m+88bjmhcwKBgEDquBARf9wkC1XmF7W6cYbH4smJRVF+peFVkCxA
huj4ntW0AGGfeg2DyW2y1nHOeZbI/AXIcex1XnQN9yvHr0zG1LSb4cvN8v8N9zNX
+081yE4RZn4GK3uQClVKuWn/xk5PshvQnJfOl6LqQ3qDqD41oZ+rXOq4FwXxqiN7
UWSBAoGBANCn50iL6zXbXYm7FCmdLpZW5iap2FaZjh/Y2OHnX9Vo7G8D71iSiUXL
mt4lRMNPiySNamNZIxJ4IYLhJz4AnBWdXj53eN2xPix6y/gUImJlrmQWEst0BXX5
05x8RTfo3jAG/8dIbs4X2JMqbbNKuMXWMFytXwT+AcaNB8wDLulH
-----END RSA PRIVATE KEY-----
5.为nginx生成证书申请
Note: 需要注意的是,Common Name一定要输nginx配置的域名,否则提示certificate has an invalid signature
查看证书申请内容
[root@localhost private]# cat nginx.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIChzCCAW8CAQAwQjELMAkGA1UEBhMCQ04xFTATBgNVBAcMDERlZmF1bHQgQ2l0
eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMADyn1rZGcUR++1DAoz4g6bf668A41l1UUd2Di3Pyhe
c6GbsWVsPRZtMWx4H0eh/ees1aD3PIMA1JsuntTajqzx2+G2iGzqV7gdrWaxLSMn
9BBdQtqzvGxsqAocu6021NinAxV31AP429Ss0p9OChT5rJ2q0Rkg5HBEYq/ROIHh
mWvnDHLaxFwovTEMOV7VLOxaYql9kgxbboutoGobeh7zMMcqpu7BjXy91mD1jMBc
pbCjYporTZXADhi/1O7rB+D1UXLpGB9wwoKnd05JcK3TbZ23YTqo3aASL02NyDsV
D/vZG2bnxHAl5AWmx8Po9OP05SNkuiDQuChaDmnT1asCAwEAAaAAMA0GCSqGSIb3
DQEBBQUAA4IBAQArQkrG8dkcnvj6EjK9WyUhisorHkcqqHv5S5P7uh9DxCgkOn1Z
0nBa0Nvsuz65PVLZdmrXPZCVbevZAO89dSFbMUnOIcUurVtlM5PAxdR0xNPa3k8d
WJu5gXA16JB9jzP+xmjvae4cA2eutoz4LH7tIoWnnLSmeZgWbJqw2yCNzj0ub2l8
9zGUXzn+71zk9y1pjRUDiqWzwno4fIwwVKotgqdhyublCodEdCYlnmFYIFxOJ6MB
36YG3KGG1QYaOO4R8F9DXEgX9azylk30kbbwjf+aU8Gz5Yfny2N9Y54P6Se9jniT
xfhLt4ZI/c20V/SG54T4FkgnWButVcUjS117
-----END CERTIFICATE REQUEST-----
6. 利用CA对证书申请进行签名
查看签名后的证书内容
[root@localhost private]# cat nginx.crt
-----BEGIN CERTIFICATE-----
MIIDADCCAegCCQDRRs1iBszBqDANBgkqhkiG9w0BAQUFADBCMQswCQYDVQQGEwJD
TjEVMBMGA1UEBwwMRGVmYXVsdCBDaXR5MRwwGgYDVQQKDBNEZWZhdWx0IENvbXBh
bnkgTHRkMB4XDTE2MDExOTAyNTAyNloXDTE2MDIxODAyNTAyNlowQjELMAkGA1UE
BhMCQ04xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBD
b21wYW55IEx0ZDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMADyn1r
ZGcUR++1DAoz4g6bf668A41l1UUd2Di3Pyhec6GbsWVsPRZtMWx4H0eh/ees1aD3
PIMA1JsuntTajqzx2+G2iGzqV7gdrWaxLSMn9BBdQtqzvGxsqAocu6021NinAxV3
1AP429Ss0p9OChT5rJ2q0Rkg5HBEYq/ROIHhmWvnDHLaxFwovTEMOV7VLOxaYql9
kgxbboutoGobeh7zMMcqpu7BjXy91mD1jMBcpbCjYporTZXADhi/1O7rB+D1UXLp
GB9wwoKnd05JcK3TbZ23YTqo3aASL02NyDsVD/vZG2bnxHAl5AWmx8Po9OP05SNk
uiDQuChaDmnT1asCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAZbHdnO27DIaAWpuJ
b2bQeMSPW/CBeRf3b9JUz3Rq2loEse8ENSfxAwMGlJ1PGv7IucEZNnOxoMcsjuhN
4IoE1YkSEEC1J4dKxOwuiYqoQi93skKSGGHQWKTqjqUa2cELtK6iIoIHxPbwbQ6G
e/KJsDYN5FukkA73402QkfbmBR8sOMCxNWgWiscmrXP5/gj7R86ef5d0VvNxlim8
dFnPqpXlpsPhmd7kgY7tJIG4BYOaNzgVHvQeDlAlBDqRaPf5dxPw85NFE4E2gIDC
YhiYsrRhaguat0AWtB0N/LTqHKgQkjbm7fo9ttPH2p1BOUXiWxzvEOQRCKSizEYG
b7T8JA==
-----END CERTIFICATE-----
7.将SSL证书拷贝到Nginx某个配置目录,并配置nginx
演示中将nginx.crt和nginx.key拷贝到/home/paas/nginx/config目录下
配置nginx.conf
配置nginx的ssl参数(本例中是在/home/paas/nginx/config/exampleSSL.conf)
重启nginx,在CentOS中打开浏览器,访问https://www.gworg.com ,就能看到熟悉的nginx welcome页面了。
8. 配置在windows中访问
a) 修改hosts文件,将<CentOS IP>和ssl.hemeicloud.com加入
b) 将443端口加入防火墙过滤器中
/sbin/iptables -I INPUT -p tcp --dport 443 -j ACCEPT 加tcp 80端口加入防火墙中,允许外部访问tcp 80端口
/etc/init.d/iptables save 保存防火墙设置
/etc/init.d/iptables restart 重启防火墙
在chrome浏览器,提示不是私密连接