nginx+ssl

nginx+ssl
1.install mod_ssl
[root@gyf conf]# mkdir /usr/local/nginx/conf/.ssl
[root@gyf conf]#  cd /usr/local/nginx/conf/.ssl
[root@gyf .ssl]#  yum list|grep mod_ssl
mod_ssl.x86_64                        1:2.2.15-26.el6.centos           Packages
[root@s01 .ssl]# yum install mod_ssl.x86_64


#下載 mod_ssl source code,get sign.sh
[root@gyf soft]# wget http://www.modssl.org/source/mod_ssl-2.8.31-1.3.41.tar.gz
[root@gyf soft]# tar xvf mod_ssl-2.8.31-1.3.41.tar.gz
[root@gyf soft]# cp /soft/mod_ssl-2.8.31-1.3.41/pkg.contrib/sign.sh /usr/local/nginx/conf/.ssl/

2.建立CA證書

//建立rsa私用密鑰
[root@gyf soft]# cd /usr/local/nginx/conf/.ssl

[root@gyf .ssl]#  openssl genrsa -des3 -out ca.key 1024
Generating RSA private key, 1024 bit long modulus
.++++++
............++++++
e is 65537 (0x10001)
Enter pass phrase for ca.key:                    .... caca              
Verifying - Enter pass phrase for ca.key:        ....caca    

//查看ca.key密鑰內容
[root@gyf .ssl]# openssl rsa -noout -text -in ca.key

Enter pass phrase for ca.key:                    ....caca


//利用CA的RSA密鑰建立一個自簽署的CA證書
[root@gyf .ssl]# openssl req -new -x509 -days 3650  -key ca.key -out ca.crt
Enter pass phrase for ca.key:
must type in 4 to 8191 characters
Enter pass phrase for ca.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:ssr
Organizational Unit Name (eg, section) []:ssr
Common Name (eg, your name or your server's hostname) []:sw
Email Address []:guoyf@ssr.com

3.建立服務器證書籤署請求

//建立一個RSA私用密鑰
[root@gyf .ssl]# openssl genrsa -des3 -out server.key 1024

Generating RSA private key, 1024 bit long modulus
............++++++
...++++++
e is 65537 (0x10001)
Enter pass phrase for server.key:   .....123456
Verifying - Enter pass phrase for server.key:    ......123456
[root@s01 .ssl]# ll
total 12
-rw-r--r-- 1 root root  985 3月   5 23:58 ca.crt
-rw-r--r-- 1 root root  951 3月   5 23:54 ca.key
-rw-r--r-- 1 root root  963 3月   6 01:41 server.key
-rwxr-xr-x 1 root root 1784 3月   6 01:21 sign.sh

//利用server.key產生證書籤署請求CSR
[root@gyf .ssl]# openssl req -new -key server.key -out server.csr

Enter pass phrase for server.key:         .....123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:hn
Locality Name (eg, city) [Default City]:ly
Organization Name (eg, company) [Default Company Ltd]:ssr
Organizational Unit Name (eg, section) []:ssr
Common Name (eg, your name or your server's hostname) []:sw
Email Address []:guoyf@ssr.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


//簽署證書
[root@gyf .ssl]# ./sign.sh server.csr

CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:  .....caca
140559083972424:error:28069065:lib(40):UI_set_result:result too small:ui_lib.c:869:You must type in 4 to 8191 characters
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName           :PRINTABLE:'cn'
stateOrProvinceName   :ASN.1 12:'hn'
localityName          :ASN.1 12:'ly'
organizationName      :ASN.1 12:'ssr'
organizationalUnitName:ASN.1 12:'ssr'
commonName            :ASN.1 12:'ssr'
emailAddress          :IA5STRING:'yangry@ssr.com'
Certificate is to be certified until Mar  6 02:09:01 2015 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: OK

[root@gyf .ssl]# ll
total 40
-rw-r--r-- 1 root root  985 3月   5 23:58 ca.crt
drwxr-xr-x 2 root root 4096 3月   6 01:46 ca.db.certs
-rw-r--r-- 1 root root   91 3月   6 01:46 ca.db.index
-rw-r--r-- 1 root root   21 3月   6 01:46 ca.db.index.attr
-rw-r--r-- 1 root root    3 3月   6 01:46 ca.db.serial
-rw-r--r-- 1 root root  951 3月   5 23:54 ca.key
-rw-r--r-- 1 root root 2529 3月   6 01:46 server.crt
-rw-r--r-- 1 root root  660 3月   6 01:44 server.csr
-rw-r--r-- 1 root root  963 3月   6 01:41 server.key
-rwxr-xr-x 1 root root 1784 3月   6 01:21 sign.sh

#移除證書籤署請求
[root@gyf .ssl]# rm -f server.csr
#修改簽好的服務器端證書爲用戶只讀權限
[root@gyf .ssl]# chmod 400 server.crt



4.產生client端的我的證書

[root@gyf .ssl]# openssl pkcs12 -export -in server.crt -inkey server.key  -out client.p12 -name "public"
Enter pass phrase for server.key:  ......123456
Enter Export Password:              ......123
Verifying - Enter Export Password:  ......123

[root@gyf .ssl]# ll
total 40
-rw-r--r-- 1 root root  985 3月   5 23:58 ca.crt
drwxr-xr-x 2 root root 4096 3月   6 01:46 ca.db.certs
-rw-r--r-- 1 root root   91 3月   6 01:46 ca.db.index
-rw-r--r-- 1 root root   21 3月   6 01:46 ca.db.index.attr
-rw-r--r-- 1 root root    3 3月   6 01:46 ca.db.serial
-rw-r--r-- 1 root root  951 3月   5 23:54 ca.key
-rw-r--r-- 1 root root 1666 3月   6 01:53 client.p12
-r-------- 1 root root 2529 3月   6 01:46 server.crt
-rw-r--r-- 1 root root  963 3月   6 01:41 server.key
-rwxr-xr-x 1 root root 1784 3月   6 01:21 sign.sh



5.編輯/usr/local/nginx/conf/nginx.conf

[root@gyf .ssl]# vim /usr/local/nginx/conf/nginx.conf


    server {
        listen       443;
        server_name  bbs.ssr.com;
        charset utf-8;
       access_log  logs/bbs.access.log  main;
            root  /var/www/bbs;
            index  index.html;

        ssl                  on;
        ssl_certificate  /usr/local/nginx/conf/.ssl/server.crt;
        ssl_certificate_key  /usr/local/nginx/conf/.ssl/server.key;
}
測試配置文件
[root@gyf conf]# /usr/local/nginx/sbin/nginx -t -c /usr/local/nginx/conf/nginx.conf
Enter PEM pass phrase:   .....123456
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful
                                                                           [  OK  ]
中止nginx
在ubuntu在輸入
[root@gyf conf]# kill -TERM `cat /usr/local/nginx/logs/nginx.pid`

啓動nginx
[root@gyf conf]# /usr/local/nginx/sbin/nginx  -c /usr/local/nginx/conf/nginx.conf
Enter PEM pass phrase:
重啓nginx
 [root@gyf conf]# kill -HUP `cat /usr/local/nginx/logs/nginx.pid`
6.測試                                                      
https://bbs.ssr.com/