0. Environment
Installation of Nginx, installation of OpenSSL
1. Configuration and scripting
First create a demo directory (the location of their own choice, I choose to build in the Nginx directory):
mkdir /etc/nginx/ca-/etc/nginx/ca-demo
Modify the SSL configuration openssl.cnf (also may be openssl.conf, do not know where to find with FIND-NAME/OPENSSL.CNF)
Change the Dir property to your previous step self-built directory, do not use relative path , will trample pits, save,
I like automation, so I wrote three scripts like this, and I can use them directly:
Ca.sh:
#!/bin/bash#create directory hierarchy. Creating a Catalog StructureTouchindex.txt Serialchmod 666index.txt SerialEcho on>Serialmkdir-P Newcerts Private
#生成RSA密钥对openssl Genrsa-des3-out./private/cakey.pem2048#openssl req-new-days365-key./PRIVATE/CAKEY.PEM-Out Ca.csr#openssl CA-selfsign-inchCA.CSR-Out ca.crt# one step. Build Csr,crt, direct 10-year use OpenSSL req-new-x509-days3650-key./private/cakey.pem-out CA.CRT
Server.sh:
#!/bin/bash# issues a server certificate mkdir-out./server/-new-key./ server/-in3650
Client.sh:
#!/bin/bash# Issue client certificate mkdir2048-new-key./client/client.key-out. client/-in"/etc/ssl/openssl.cnf"-export-clcerts- in./client/client.crt-inkey./client/client.key-out./client/client.p12
All of the above three scripts can be found in Https://github.com/dreamingodd/CA-generation-demo
Copy the above three scripts into your own demo directory, as follows:
Join Run Permissions:
chmod +x *. SH
The results are as follows:
Not to be continued ...
To be Continued ...
Https, OpenSSL self-built CA certificate and issuing certificate, Nginx one-way authentication, two-way authentication and using Java access