LinuxSSL setting_openssl create a self-Signed SSL Certificate and Nginx Configuration

First, the client performs three handshakes with the server. (Because http communicates Based on the TCPIP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established. First, the client performs three handshakes with the server. (Because http communicates Based on the TCP/IP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established.

However, how does the client verify whether the server certificate is true? a ca: a third-party Certificate Authority is required to issue a certificate to our server. Therefore, the client can go to the CA to verify the server certificate.

At this time, the CA should have a certificate stored on the client side, and the certificate is self-signed. (The client can go to the CA to verify the server certificate .)

Then, how does the server send a certificate to the CA? First, the server creates a key and delivers the public key to the CA. Then, the CA signs the key and generates the certificate, save a copy and send it back to the server. The server configures and uses the certificate, and then sends the certificate to the client after the call. The client asks the CA for verification.

① Premise:

To enable your web server to support ssl, you must first install the SSL module.

1. For example test.imdst.comCreate a self-signed certificate

• Create the private key of the root certificate
  openssl genrsa -out test.imdst.com.key 2048

• Use the private key to create a signature request
  openssl req -new -subj "/C=US/ST=GuangDong/L=GuangZhou/O=Your Company Name/OU=imdst.com/CN=test.imdst.com" -key test.imdst.com.key -out test.imdst.com.csr 
  Note:Here/C indicates the Country (Country), which can only be abbreviated to the Country, such as CN and US;/ST indicates the State or province (State/Provice ); /L indicates the city or region (Locality);/O indicates the Organization Name;/OU other display content, usually displayed in the issuer column.

• Remove the private key with a password
  mv test.imdst.com.key test.imdst.com.origin.key 
openssl rsa -in test.imdst.com.origin.key -out test.imdst.com.key

• Sign the certificate with Key
  openssl x509 -req -days 3650 -in test.imdst.com.csr -signkey test.imdst.com.key -out test.imdst.com.crt

• For certificates prepared for HTTPS, note that the created signature request must be in the same CN as the domain name; otherwise, the certificate cannot be verified by the browser.

Test.imdst.com. crt self-signed certificate test.imdst.com. csr certificate request test.imdst.com. key Without Password Key test.imdst.com. origin. key with Password Key

Ii. Configure ssl verification for nginx

• Send test.imdst.com. crt to the browser for verification, and then use test.imdst.com. key to decrypt the data sent by the browser.
• Nginx server {} Configuration

server  {        listen       443 ssl;        server_name  test.imdst.com;        access_log /data/logs/test.access_log;        ssl on;        ssl_certificate sslkey/test.imdst.com.crt;         ssl_certificate_key sslkey/test.imdst.com.key;        ssl_session_timeout  5m;        ssl_protocols SSLv2 SSLv3 TLSv1;        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;        ssl_prefer_server_ciphers on;}