Nginx + OpenSSL build HTTPS service

Recently busy with the third-party SMS company docking SMS Uplink interface. The transmission of data is given by means of HTTPS and digest authentication. Digest authentication is implemented by the front-end phper, I need to complete the NGINX+SSL implementation of HTTPS services. SSL is produced using OpenSSL itself.

SSL principle:

Given the knowledge of the SSL principle, there is no longer much elaboration here. To learn more, you can poke this link to view: http://www.fenesky.com/blog/2014/07/19/how-https-works.html

1. First to generate the private key of the server:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/59/AC/wKiom1TbDZCjATxOAALK2k4pqsk885.jpg "title=" Ssl1.png "alt=" Wkiom1tbdzcjatxoaalk2k4pqsk885.jpg "/>

The runtime prompts for a password, which is used to encrypt the key file (the parameter des3 is the encryption algorithm, and of course you can choose other algorithms that you think are safe). You will need to enter the password whenever you need to read this file (via the command or API provided by OpenSSL). If it's inconvenient,    You can also remove this password, but be sure to take other protective measures! command to remove the key file password:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/59/AC/wKiom1TbDhzgHR-WAAEreICuOCg996.jpg "title=" Ssl2.png "alt=" Wkiom1tbdhzghr-waaereicuocg996.jpg "/>

After executing this command, you do not need to enter a password when you start Nginx.

2. Generate a certificate with Server.key

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/59/AC/wKiom1TbDtuCj3UwAAcxfqdLijM830.jpg "title=" Ssl3.png "alt=" Wkiom1tbdtucj3uwaacxfqdlijm830.jpg "/> The generated CSR file is signed by the CA authority and forms the server's own certificate. Follow the prompts to provide information about the server certificate.

3. Also make the same command to the client to generate key and CSR files

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/59/AD/wKiom1TbEjSTzodsAAIeRYmaXWg389.jpg "title=" Ssl4.png "alt=" Wkiom1tbejstzodsaaierymaxwg389.jpg "/>

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/59/A9/wKioL1TbFF7zQZ9ZAAX4jHipcOw634.jpg "title=" Ssl5.png "alt=" Wkiol1tbff7zqz9zaax4jhipcow634.jpg "/>

4. Generating a CSR certificate file must be signed by the CA authority to form a certificate. Here make your own CA generate a key file Ca.key and a root certificate ca.crt

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M00/59/AD/wKiom1TbE_uCAzZhAAZmWNfyxGw424.jpg "title=" Ssl6.png "alt=" Wkiom1tbe_ucazzhaazmwnfyxgw424.jpg "/>

5. Create a openssl.conf generated configuration file

#根据openssl. CNF build Profile touch/etc/pki/ca/{index.txt,serial} #设置副本名称开始内容echo >/etc/pki/ca/serial# set up Replica certificate store directory mkdir /etc/pki/ca/newcerts

6. Use the CA's certificate for file signing of the SERVER.CSR and CLIENT.CSR just generated

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/59/A9/wKioL1TbFljjPG6eAAMs1zw3ZQs957.jpg "title=" Ssl7.png "alt=" Wkiol1tbfljjpg6eaams1zw3zqs957.jpg "/>

Client certificate Issuance:

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/59/A9/wKioL1TbFuLjjhSnAAMvQs12OGQ585.jpg "title=" Ssl8.png "alt=" Wkiol1tbfuljjhsnaamvqs12ogq585.jpg "/>

Certificate Format conversion:

#IE浏览器需要p12证书, so you need to issue a P12 certificate for IE issue: OpenSSL pkcs12-export-clcerts-in client.crt-inkey client.key-out Client.p12#ios Certificate issuance format OpenSSL x509-in client.crt-out client.cer#android certificate issuance format OpenSSL pkcs12-export-in Client.crt-inkey client.key-o UT client.pfx#pem format certificate OpenSSL pkcs12-export-in ddmdd_a.pfx-out CLIENT.PEM

To delete a private key password:

#删除私钥密码openssl rsa-in client.key-out Client_open.key

Certificate revocation:

echo > Crlnumberopenssl ca-keyfile ca.key-cert ca.crt-revoke client.crt #从CA中撤销证书client. Crtopenssl ca-gencrl -keyfile Ca.key-cert ca.crt-out client.crl #生成或更新撤销列表

To view certificate information:

OpenSSL x509-in Client.pem-noout-text

Files to be used by the client browser: ca.crt,client.crt,client.key,client.pfx

Files used by the server side are: ca.crt, Server.crt,server.key

7. Configure Nginx SSL

server {        listen           443 ssl;        server_name      smsapi.chunbo.com;        root             /var/www/smsapi.david.com;         ssl on;        ssl_certificate          /etc/nginx/conf.d/server.crt;         ssl_certificate_key     /etc/nginx/conf.d/server.key;         ssl_client_certificate  /etc/nginx/conf.d/ca.crt;         ssl_verify_client       off;         ssl_sEssion_timeout     5m;        ssl_protocols    sslv2 sslv3 tlsv1;        ssl_ciphers      high:!anull:! md5;        ssl_prefer_server_ciphers   on;         location / {             index index.php index.html;        }         location ~ \.php$ {             include         / etc/nginx/fastcgi_params;            if  (-F   $request _filename)  {                fastcgi_pass   127.0.0.1:9000;             }             fastcgi_index  index.php;             fastcgi_param  SCRIPT_FILENAME   $document _root$fastcgi_script_name;         }} #nginx   configuration complete, Reloadnginx service

8. Client Import Certificate

Certificate installation and use the certificate that was just generated: Root certificate ca.crt and client CLIENT.CRT (CLIENT.PFX) installed to the client, CA.CRT installed to the trusted authority, CLIENT.CRT directly in Windows installation or installation to the personal certificate location. (in the case of IE, you need to install the CLIENT.PFX certificate, you need to enter the password issued by the certificate when importing)

9. Testing

Next, you can test it through a browser. Sometimes it can be called as an API interface for other programs, such as I use Python requests to make calls:

Import requestsresponseobj = Requests.get (' cert= ('/path/client.crt ', '/path/client.key ')) data = Responseobj.text or: Responseobj = Requests.get (' verify= '/path/client.pem ') data = Responseobj.text

In the case of a Java program, a P12 format certificate is required. Choose according to your needs.

Given NGINX+OPENSSL deployment has been completed.

This article is from the "David" blog, so be sure to keep this source http://davidbj.blog.51cto.com/4159484/1613780

Nginx + OpenSSL to build HTTPS service