Build an HTTPS one-way certificate using nginx

1) by default, the SSL module is not installed. If you use this module, You need to specify the -- with-http_ssl_module parameter when compiling nginx.

Wget http://nginx.org/download/nginx-1.3.16.tar.gz

Tar-XF nginx-1.3.16.tar.gz-C/usr/local/

CD/usr/local/nginx-1.3.16/

./Configure -- prefix =/usr/local/nginx -- user = nginx -- group = nginx -- with-http_ssl_module -- with-http_stub_status_module -- with-http_gzip_static_module -- With-PCRE

Make

Make install

Http: // 192.168.254.103/test

CD/usr/loca/nginx/conf to the directory where you want to create the certificate and Private Key

[[Email protected] conf] # OpenSSL genrsa-des3-out server. Key 1024 create the server private key and enter a password

Enter pass phrase for server. Key: 123456

Verifying-enter pass phrase for server. Key: 123456

[[Email protected] conf] # OpenSSL req-New-key server. Key-out server. CSR create the certificate (CSR) for the signature request)

Enter pass phrase for server. Key:

You are about to be asked to enter information that will be ininitialized

Into your certificate request.

What you are about to enter is what is called a distinguished name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country name (2 letter code) [XX]: CN

State or province name (full name) []: Beijing

Locality name (eg, city) [Default City]: Changping

Organization Name (eg, company) [Default Company Ltd]: leay

Organizational unit name (eg, section) []: Linux

Common name (eg, your name or your server's hostname) []: ca.leay.com

Email Address []: [email protected]

Please enter the following 'extra 'attributes

To be sent with your certificate request

A challenge password []: 123456

An optional company name []: leay

Remove the required password when loading SSL-supported nginx and using the above private key:

[[Email protected] conf] # cp server. Key server.key.org

[[Email protected] conf] # OpenSSL RSA-In server.key.org-out server. Key

Enter pass phrase for server.key.org: 123456

Writing RSA key

Finally, mark the CSR of the certificate using the above private key:

[[Email protected] conf] # OpenSSL X509-req-days 365-in server. CSR-signkey server. Key-out server. CRT

Signature OK

Subject =/C = Cn/ST = Beijing/L = Changping/o = leay/ou = Linux/CN = ca.leay.com/?email protected]

Getting Private Key

Modify the nginx configuration file to include the newly marked certificate and private key.

Server {

Listen 80;

SERVER_NAME www.bill.com;

# Charset koi8-r;

# Access_log logs/host. Access. Log main;

Location /{

Root HTML;

Index index.html index.htm;

}

# HTTPS Server

#

Server {

Listen 443;

SERVER_NAME www.bill.com;

SSL on;

Ssl_certificate/usr/local/nginx/CONF/server. CRT;

Ssl_certificate_key/usr/local/nginx/CONF/server. Key;

# Ssl_session_timeout 5 m;

# Ssl_protocols SSLv2 SSLv3 tlsv1;

# Ssl_ciphers high :! Anull :! MD5;

# Ssl_prefer_server_ciphers on;

Location /{

Root HTML;

Index index.html index.htm;

}

}

}

Restart nginx

[[Email protected] conf] #/usr/local/nginx/sbin/nginx-s reload

When accessing a physical machine, you must add domain name resolution in the local hosts file.

Http://www.bill.com accesses port 80

Port 443 is accessed through the https://www.bill.com

This article from "Fallen Leaves floating distant" blog, please be sure to keep this source http://shunzi.blog.51cto.com/8289655/1536055