Configuring Nginx HTTPS with self-signed certificates

1. Generate Root certificate key

#] OpenSSL genrsa-des3-out ca.key 2048

2. Self-signed certificate

#] OpenSSL req-new-x509-days 7305-key ca.key-out ca.crt

Parameter description:

Req: Generate certificate Signing request

-news: New Request

-key/path/to/keyfile: Specifying a private key file

-out/path/to/somefile:

-x509: Generate self-signed certificate

-days N: Active days

3. Prepare the necessary documents:

#] Touch/etc/pki/ca/{index.txt,serial}

#] Echo >/etc/pki/ca/serial

4. Make the website certificate and sign it with this CA, assuming the website domain name is web1

To generate a certificate key:

#] OpenSSL genrsa-des3-out WEB1.PEM 1024

Make the decrypted WEB1 certificate private key:

#] OpenSSL rsa-in web1.pem-out web1.key

Generate a signature request, fill in the site domain name in common name, such as Web1 to generate the site's certificate, but also can use a generic domain name such as *.web1 to generate all the two-level domain name available site Certificate:

#] OpenSSL req-new-key web1.pem-out WEB1.CSR

To sign with a CA:

#] OpenSSL ca-policy policy_anything-days 365-cert ca.crt-keyfile ca.key-in web1.csr-out web1.crt

Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.

Finally, paste the contents of the CA.CRT into the back of WEB1.CRT. This is more important! Because you do not do this, there may be some browsers that are not supported.

5. Configure Nginx to support HTTPS

Add the configuration in the nginx.conf configuration file server configuration:

Listen 443;

SSL on;

SSL_CERTIFICATE/PATH/TO/WEB1.CRT;

Ssl_certificate_key/path/to/web1.key;

Where the path is the path of the Web site certificate that was just generated.

Then use the command to detect the configuration and reload Nginx:

Detection configuration:

Nginx-t

Reload:

Nginx-s Reload

6. Optimized Nginx Configuration

In http{}, add:

Ssl_session_cache shared:ssl:10m;

Ssl_session_timeout 10m;

According to the official documentation, 1m in the cache can hold 4,000 sessions.

In the virtual host server{} that is configured for HTTPS, add:

Keepalive_timeout 70;

7. The client browser imports the root certificate and the Web site certificate

Open the Certificate management tool: Run the certmgr.msc command (you can also import the certificate in the browser)

650) this.width=650; "src=" Http://s2.51cto.com/wyfs02/M00/85/A2/wKioL1eqxVaA8VuYAAEdyHV8GuI091.png "title=" 7f2 " Athai () qna[}6jlukqf.png "alt=" Wkiol1eqxvaa8vuyaaedyhv8gui091.png "/>

Import the root certificate ca.crt to a trusted root certification authority, and the Web site certificate web1.crt into a personal formal.

Then enter Https://domain in the browser, a green lock appears to the left of the address bar, such as: 650) this.width=650; "Src=" http://s1.51cto.com/wyfs02/M00/85/A2/ Wkiol1eqxjjivfi-aaefsemihmm158.png "title=" jad~13nijbqm7fu70t) c}5q.png "alt=" Wkiol1eqxjjivfi-aaefsemihmm158.png " />

This article is from the "JC" blog, be sure to keep this source http://jackeychen.blog.51cto.com/7354471/1836535

Configuring Nginx HTTPS with self-signed certificates