Configuring HTTPS and self-signed certificates for Nginx

First, prepare the certificate.

The steps are similar to those described using OpenSSL self-signed server HTTPS certificates. Repeat here again.

1. Make CA Certificate:

Ca.key CA Private Key:

OpenSSL genrsa-des3-out Ca.key 2048

Make the decrypted CA private key (which is generally not necessary):

OpenSSL rsa-in ca.key-out Ca_decrypted.key

CA.CRT CA Root certificate (public key):

OpenSSL req-new-x509-days 7305-key ca.key-out ca.crt

2. Make the certificate of generating website and certify with CA signature

Here, suppose the site domain name is blog.creke.net

Generate the Blog.creke.net certificate private key:

OpenSSL genrsa-des3-out Blog.creke.net.pem 1024

Make the decrypted blog.creke.net certificate private key:

OpenSSL rsa-in blog.creke.net.pem-out Blog.creke.net.key

To generate a signature request:

OpenSSL Req-new-key blog.creke.net.pem-out BLOG.CREKE.NET.CSR

Fill in the site domain name in the common name, such as blog.creke.net can generate the site's certificate, but also can use a generic domain name such as *.creke.net to generate all the two-level domain name available site certificate.

To sign with a CA:

OpenSSL ca-policy policy_anything-days 1460-cert ca.crt-keyfile ca.key-in blog.creke.net.csr-out blog.creke.net.crt

Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.

If you execute the signing command, the "I am unable to access the" appears. /.. /ca/newcerts directory "

Modify/etc/pki/tls/openssl.cnf in "DIR =./ca"

And then:

Mkdir-p Ca/newcerts

Touch Ca/index.txt

Touch ca/serial

echo "01″> ca/serial

Then re-execute the signing command.

Finally, paste the contents of the CA.CRT into the back of BLOG.CREKE.NET.CRT. This is more important! Because you do not do this, there may be some browsers that are not supported.

OK, now HTTPS needs to the website private key Blog.creke.net.key and website certificate blog.creke.net.crt are ready to complete. Next, start configuring the service side.

Second, the configuration Nginx

Open a new virtual host and set it in the server{} segment:

Listen 443;

SSL on;

SSL_CERTIFICATE/PATH/TO/BLOG.CREKE.NET.CRT;

Ssl_certificate_key/path/to/blog.creke.net.key;

Where the path is the path of the Web site certificate that was just generated.

Then use the command to detect the configuration and reload Nginx:

Detection configuration:

Nginx-t

Reload:

Nginx-s Reload

Third, optimize the Nginx configuration

1. Optimize Nginx Performance

In http{}, add:

Ssl_session_cache shared:ssl:10m;

Ssl_session_timeout 10m;

According to the official documentation, 1m in the cache can hold 4,000 sessions.

In the virtual host server{} that is configured for HTTPS, add:

Keepalive_timeout 70;

2, sometimes, will find that in the phpMyAdmin and other programs login will mistakenly jump to the problem of HTTP. The solution is to locate the location ~. *\. (PHP|PHP5) ${} "in the include fcgi.conf, or after the Fastcgi_param configuration, add:

Fastcgi_param HTTPS on;

Fastcgi_param Http_scheme HTTPS;

Here is the official Nginx document on HTTPS, can be used as a reference.

Http://blog.creke.net/762.html

Configuring HTTPS and self-signed certificates for Nginx