Configuring a self-signed SSL certificate for Nginx

Original Address http://www.liaoxuefeng.com/article/0014189023237367e8d42829de24b6eaf893ca47df4fb5e000

HTTPS is almost the only option to secure a Web browser-to-server connection. HTTPS is actually HTTP over SSL, which means that HTTP connections are built on top of SSL secure connections.

SSL uses certificates to create a secure connection. There are two modes of authentication:

Only the client authenticates the server's certificate, and the client does not provide the certificate itself;

Both the client and the server authenticate each other's certificates.

Obviously the second way is more secure, generally using online banking, but ordinary Web sites can only be used in the first way.

How the client validates the server's certificate. The server's own certificate must be signed by an "authoritative" certificate, and this "authoritative" certificate may be signed by a more authoritative certificate, so that the first level of the most authoritative certificate is called the root certificate. The root certificate is built directly into the browser so that the browser can use its own root certificate to verify that a server's certificate is valid.

If you want to provide a valid certificate, the server's certificate must be signed from a certificate authority such as VeriSign so that the browser can verify the pass, otherwise the browser gives a warning that the certificate is invalid.

The fee for signing up for a certificate is dozens of ~ hundreds of a year, so if you are only managing it, you can create a self-signed certificate to ensure that the administrator is securely connected to the server through the browser.

Here's a quick introduction to creating a self-signed SSL certificate.

To create a self-signed certificate, you need to install OpenSSL using the following steps:

Create key;

Create a signature request;

Remove the password from key;

Sign the certificate with key.

Certificates that are prepared for HTTPS need to be aware that the CN of the created signature request must be exactly the same as the domain name, otherwise it cannot be verified by the browser.

The above step command is tedious, so I made a shell script that can get the certificate done at once. Download the script from here:

https://github.com/michaelliao/itranswarp.js/blob/master/conf/ssl/gencert.sh

Run the script, assuming your domain name is www.test.com, then follow the prompts to enter:

$./gencert.sh 
Enter your domain [www.example.com]: www.test.com          
Create server key
... Generating RSA private key, the 1024x768 bit long modulus ... ++++++ ....
++++++
e is 65537 (0x10001)------ C6/>enter Pass phrase for Www.test.com.key: Enter password
verifying-enter pass phrase for Www.test.com.key: Enter password
Create SE RVer Certificate Signing request ...
Enter pass phrase for Www.test.com.key: Enter password
Remove password
... Enter pass phrase for Www.test.com.origin.key: Enter password
writing RSA key sign
SSL certificate ...
Signature OK
subject=/c=us/st=mars/l=itranswarp/o=itranswarp/ou=itranswarp/cn=www.test.com
Getting Private key
TODO:
copy www.test.com.crt to/etc/nginx/ssl/www.test.com.crt
copy Www.test.com.key to/ Etc/nginx/ssl/www.test.com.key
ADD configuration in Nginx:
server {
    ...
    SSL on;
    Ssl_certificate     /etc/nginx/ssl/www.test.com.crt;
    Ssl_certificate_key/etc/nginx/ssl/www.test.com.key;
}

The red part is the input, note that the password entered 4 times is the same.

4 files are created in the current directory: WWW.TEST.COM.CRT: Self-signed certificate WWW.TEST.COM.CSR: Certificate request www.test.com.key: Key without password Www.test.com.origin.key: Key with a password

The Web server needs to send WWW.TEST.COM.CRT to the browser for verification, and then use Www.test.com.key to decrypt the data sent by the browser, and the remaining two files do not need to be uploaded to the Web server.

For Nginx, for example, you need to use the server {...} In the configuration:

server {
    ...
    SSL on;
    Ssl_certificate     /etc/nginx/ssl/www.test.com.crt;
    Ssl_certificate_key/etc/nginx/ssl/www.test.com.key;
}

If all goes well, open the browser and you can access the website via HTTPS. A warning appears on the first visit (because our self-signed certificate is not trusted by the browser), the certificate is imported into the system via the browser (Windows uses IE import, Mac is imported with Safari) and is set to "trusted", and the computer will be able to connect to the Web server securely after visiting the website:

How to configure the certificate in the application server. such as Tomcat,gunicorn and so on. The correct approach is to not configure, let Nginx process HTTPS, and then through the proxy HTTP connection to the backend application server, the equivalent of using Nginx as HTTPS to HTTP security agent, so that the use of Nginx Http/https processing power, Also avoids the disadvantage that the application server is not good at HTTPS. feel this site content is good, read after have harvest.