1. 安装openssl
apt update
apt install openssl
2. 生成证书
1. CA证书
- 创建私钥
openssl genrsa -out ca-key.pem 1024
- 创建
csr证书请求
openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=CA"
- 生成
crt证书
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650
2. 服务器端证书
- 创建服务器端私钥
openssl genrsa -out server-key.pem 1024
- 创建服务器端
csr证书
openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=*.fish-test.com"
- 生成服务器端
crt证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
3. 客户端证书
- 创建客户端私钥
openssl genrsa -out client-key.pem 1024
- 创建客户端
csr证书
openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=dong"
- 生成客户端
crt证书
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
3. nginx使用https
我这里使用到两个服务端证书server-cert.pem和server-key.pem
放在文件夹/opt/nginx/ssl下
全局搜索443,定位到文件/etc/nginx/sites-available/default
修改文件
# 以下两行默认被注释了,取消注释
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# 新增以下两行,证书文件需要自己生成
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;
这样子nginx就支持https服务了,在需要的server调用即可
原来的http,配置文件如下
server{
listen 20006 ;
server_name _;
location / {
root /opt/item/dist;
index index.html;
error_page 404 /index.html;
}
}
修改为https,配置文件如下
server{
listen 20006 ;
listen 443 ssl;
ssl on;
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;
server_name _;
location / {
root /opt/item/dist;
index index.html;
error_page 404 /index.html;
}
}
