Centos7+nginx issuing and configuring SSL services through Windows CA

Source: Internet
Author: User
Tags nginx server

Centos7+nginx issuing and configuring SSL services through Windows CA

Recently in the knowledge of Linux, as a necessary knowledge of operations engineer, a Web service especially run on the Internet is very easy to attack, so in order to ensure the minimum security needs to configure the Web service SSL, this can improve the security, so we introduce today, CENTOS7 +nginx The SSL service is issued and configured through the Windows CA, of course, if it is a build environment, generally will apply for third-party certificates, such as Wosign and other third-party certification authorities, today we mainly use the internal Windows CA service to issue a certificate for Nginx, Of course, you can also use Nginx self-signed certificate, but so every visit will have relevant warning reminders, specifically see below:

Environment Introduction:

Hostname:DC.IXMSOFT.COM

ip:192.168.5.10

ROLE:DC, DNS, CA

Os:windows Server 2016

Hostname:d-s.ixmsoft.com

ip:192.168.5.20

Role:nginx Service

Os:centos 7.1

After preparing the operating system and installing the corresponding configuration:

1.hostnamectl Set-hostname D-S

2.vim/etc/selinux/config--->selinux:disabled

3. Add Firewall rule: firewall-cmd–zone=public--add-port= "80/tcp" –permenant

The next step is to install the Nginx warehouse

Yum Install http://nginx.org/packages/centos/7/noarch/RPMS/nginx-release-centos-7-0.el7.ngx.noarch.rpm

650) this.width=650; "title=" clip_image001 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image001 "src=" Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-jOhxvpRAADOccggjwI404.png "height=" 241 "/>

Yum Install Nginx

650) this.width=650; "title=" clip_image001[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-jWDFhFSAACcTKNIjok866.png" height= "221"/ >

650) this.width=650; "title=" clip_image002 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image002" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-jeTRizyAADIBywzVi8979.png" height= "306"/>

We also configure a page for Nginx, mainly to differentiate

Vim/usr/share/nginx/html/index.html

Then start the Nginx service

Systemctl start Nginx

650) this.width=650; "title=" clip_image003 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image003" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-jjgZVv6AABvIfAUjs4228.png" height= "297"/>

Then start applying for the private key

Cd/etc/pki/tlsopenssl genrsa-out Server.key 2048server.key is the private key

650) this.width=650; "title=" clip_image004 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image004" src= "http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-jnzHPItAADOemqNHXg621.png" height= "/>"

Generate a certificate with a private key Serverkey file Request file CSR

OpenSSL Req-new-key server.key-out SERVER.CSRSERVER.CSR is a certificate request file domain name, also known as Common name, Because a special certificate is not necessarily a domain name: nginx.ixmsoft.com organization or company name (Organization): Example, Ixmsoft Department (Department): Can not fill, City: Beijing Province (state/province): Beijing Country (country): CN encryption Strength: 2048-bit, if your machine performance is strong, you can also choose 4,096-bit if it is a generic domain name certificate, you should fill in *. Ixmsoft.com

650) this.width=650; "title=" clip_image005 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image005" src= "Http://s3.51cto.com/wyfs02/M02/8B/84/wKiom1hP-jzS-QU0AAFmAc1GH5E363.png" height= "266"/>

650) this.width=650; "title=" clip_image006 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image006" src= "http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-j3AFDk3AABRYyMe4_s043.png" height= "/>"

We open the CSR file that we just generated

650) this.width=650; "title=" clip_image007 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image007" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-j_B-X77AAIrry9qMYk001.png" height= "306"/>

At this point, we have a CSR file that we use to request a certificate on the internal Windows CA server

650) this.width=650; "title=" clip_image008 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image008" src= "Http://s3.51cto.com/wyfs02/M01/8B/84/wKiom1hP-kCDNFodAAEtQzKUU0M690.png" height= "482"/>

Submit a certificate request using Base64-bit encoded CMC or RKCS

650) this.width=650; "title=" clip_image009 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image009" src= "Http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-kKiqHMZAADF2LCoL9o945.png" height= "484"/>

Then we paste the contents of the CSR file, select the Web Service certificate template to submit

650) this.width=650; "title=" clip_image010 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image010 "src=" Http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-kSDdWKtAAEV221XkhQ988.png "height=" 484 "/>

Be sure to download the BASIC64 encoding this type, or in the Nginx startup when the wrong return

650) this.width=650; "title=" clip_image011 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image011" src= "Http://s3.51cto.com/wyfs02/M02/8B/84/wKiom1hP-kWyMRPZAABzujJY6lA028.png" height= "417"/>

Download Certificate Completion

650) this.width=650; "title=" clip_image012 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "clip_image012" src= "Http://s3.51cto.com/wyfs02/M00/8B/84/wKiom1hP-kqjd_wuAAEv_Tw05QE961.png" height= "319"/>

We upload the certificate to 192.168.5.20 on the Nginx server.

650) this.width=650; "title=" clip_image013 "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ image013 "src=" http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-kugFS5FAAA9PA5f0Ww134.png "height="/>

We copy the certificate to the certificate directory

CP Certnew.cer/etc/pki/tlsls

650) this.width=650; "title=" clip_image001[6] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image001[6]" src= "Http://s3.51cto.com/wyfs02/M01/8B/85/wKiom1hP-k2A_7nEAABtIfEPdgc847.png" height= "94"/ >

For the certificate unified configuration, and then the Nginx directory created an SSL directory, dedicated to store the certificate file

Cd/etc/nginxmkdir SSL

650) this.width=650; "title=" clip_image002[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image002[4]" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-k7BZ_bOAACBiB8HbEU349.png" height= "127"/ >

And then we copy the three files that we just made to this directory.

Cp/etc/pki/tls/server.key SERVER.CSR certnew.crt/etc/nginx/ssl/

650) this.width=650; "title=" clip_image003[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image003[4]" src= "Http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-k-A2dviAAB1-wWyrmM320.png" height= "117"/ >

650) this.width=650; "title=" clip_image004[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image004[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/85/wKiom1hP-lDT1rMrAABD8RHjPF8656.png" height= "134"/ >

We will change the name and extension of the application certificate for the sake of the bearer.

MV Certnew.cer WEB.PEM

650) this.width=650; "title=" clip_image005[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ IMAGE005[4] "src=" http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-lKiCj6XAABUWj0t2KE074.png "height=" 146 "/>

Before we configure SSL, we first access the following, the default is 80

650) this.width=650; "title=" clip_image006[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image006[4]" src= "http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-lOz8lVeAAB4iNWiN0A670.png" height= "423"/ >

650) this.width=650; "title=" clip_image007[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image007[4]" src= "Http://s3.51cto.com/wyfs02/M02/8B/85/wKiom1hP-lXzNh70AAFrh7x7u4M637.png" height= "208"/ >

Next we configure SSL, the default configuration file

Vim/etc/nginx/conf.d/default.conf

650) this.width=650; "title=" clip_image008[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image008[4]" src= "http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-leSM38kAAEh7k4akQQ049.png" height= "407"/ >

We do not use 80, so default.conf, MV default.conf default.conf.bak Rename

We create a new configuration file under/etc/nginx/conf.d/

Vim Nginx-ssl.confserver {Listen 443;server_name Nginx.ixmsoft.com;ssl On;ssl_certificate/etc/nginx/ssl/web.pem;ssl _certificate_key/etc/nginx/ssl/server.key;access_log logs/ssl_access.log;location/{root/usr/share/nginx/html;}}

We guarantee that the configuration file is not a problem and can be tested using the following command

Nginx-t

650) this.width=650; "title=" clip_image009[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image009[4]" src= "http://s3.51cto.com/wyfs02/M02/8B/81/wKioL1hP-ljz-GKoAAB-ym2GLxw828.png" height= "146"/ >

Viewing port information

650) this.width=650; "title=" clip_image010[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;margin:0px;padding-right:0px; "border=" 0 "alt = "Clip_image010[4]" src= "Http://s3.51cto.com/wyfs02/M00/8B/81/wKioL1hP-lnQZYErAAFEDmj5JXE683.png" height= "199"/ >

Next we try to access, 443 can be accessed, and the certificate load is right

650) this.width=650; "title=" clip_image011[4] "style=" border-top:0px;border-right:0px;background-image:none; border-bottom:0px;padding-top:0px;padding-left:0px;border-left:0px;padding-right:0px, "border=" 0 "alt=" clip_ IMAGE011[4] "src=" http://s3.51cto.com/wyfs02/M01/8B/81/wKioL1hP-luBLAcgAACwTvx0liE583.png "height=" 371 "/>

If you want to access 80 jump to 443, then we need to modify the nginx_ssl.conf file just now.

We need to configure

server {Listen 80;server_name nginx.ixmsoft.com;rewrite ^ (. *) https://$server _name$1 permanent;} server {Listen 443;server_name Nginx.ixmsoft.com;ssl on;ssl_certificate/etc/nginx/ssl/web.pem;ssl_certificate_key/ Etc/nginx/ssl/server.key;access_log logs/ssl_access.log;location/{root/usr/share/nginx/html;}}

After this restart Nginx, after using 80 access will automatically jump to 443 port under HTTPS

This article from "Gao Wenrong" blog, declined reprint!

Centos7+nginx issuing and configuring SSL services through Windows CA

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.