LinuxSSL setting_openssl create a self-Signed SSL Certificate and Nginx Configuration

Source: Internet
Author: User
Tags openssl rsa openssl x509 csr certificate nginx server
First, the client performs three handshakes with the server. (Because http communicates Based on the TCPIP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established. First, the client performs three handshakes with the server. (Because http communicates Based on the TCP/IP protocol), then they establish an SSL session and negotiate the encryption algorithm to be used after the negotiation is complete. The server sends its certificate to the client. After the client verifies that there is no problem, a symmetric key is generated and sent to the server. Then, the client sends a request to the server, the server sends the content to the client using the symmetric key encryption sent from the client. In this way, the ssl session is established.

However, how does the client verify whether the server certificate is true? a ca: a third-party Certificate Authority is required to issue a certificate to our server. Therefore, the client can go to the CA to verify the server certificate.

At this time, the CA should have a certificate stored on the client side, and the certificate is self-signed. (The client can go to the CA to verify the server certificate .)

Then, how does the server send a certificate to the CA? First, the server creates a key and delivers the public key to the CA. Then, the CA signs the key and generates the certificate, save a copy and send it back to the server. The server configures and uses the certificate, and then sends the certificate to the client after the call. The client asks the CA for verification.

① Premise:

To enable your web server to support ssl, you must first install the SSL module.


1. For example test.imdst.comCreate a self-signed certificate
  • Create the private key of the root certificate
    openssl genrsa -out test.imdst.com.key 2048

  • Use the private key to create a signature request
    openssl req -new -subj "/C=US/ST=GuangDong/L=GuangZhou/O=Your Company Name/OU=imdst.com/CN=test.imdst.com" -key test.imdst.com.key -out test.imdst.com.csr 
    Note:Here/C indicates the Country (Country), which can only be abbreviated to the Country, such as CN and US;/ST indicates the State or province (State/Provice ); /L indicates the city or region (Locality);/O indicates the Organization Name;/OU other display content, usually displayed in the issuer column.

  • Remove the private key with a password
    mv test.imdst.com.key test.imdst.com.origin.key 
    openssl rsa -in test.imdst.com.origin.key -out test.imdst.com.key

  • Sign the certificate with Key
    openssl x509 -req -days 3650 -in test.imdst.com.csr -signkey test.imdst.com.key -out test.imdst.com.crt

  • For certificates prepared for HTTPS, note that the created signature request must be in the same CN as the domain name; otherwise, the certificate cannot be verified by the browser.

Test.imdst.com. crt self-signed certificate test.imdst.com. csr certificate request test.imdst.com. key Without Password Key test.imdst.com. origin. key with Password Key
Ii. Configure ssl verification for nginx
  • Send test.imdst.com. crt to the browser for verification, and then use test.imdst.com. key to decrypt the data sent by the browser.
  • Nginx server {} Configuration
server  {        listen       443 ssl;        server_name  test.imdst.com;        access_log /data/logs/test.access_log;        ssl on;        ssl_certificate sslkey/test.imdst.com.crt;         ssl_certificate_key sslkey/test.imdst.com.key;        ssl_session_timeout  5m;        ssl_protocols SSLv2 SSLv3 TLSv1;        ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;        ssl_prefer_server_ciphers on;}

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.