Nginx Configuration free SSL Certificate supports HTTPS secure access

1. Self-issued SSL certificates that are not trusted by the browser:

SSL certificates for HTTPS can be issued on their own, and the following steps are issued under Linux:

OpenSSL genrsa-des3-out www.aaa.com.key 1024openssl req-new-key www.aaa.com.key-out www.aaa.com.csropenssl rsa-in ww W.aaa.com.key-out Www.aaa.com_nopass.key

Nginx.conf SSL certificate configuration, using Www.aaa.com_nopass.key, in the boot Nginx is not required to enter the SSL certificate password, and use Www.aaa.com.key need to enter the password:

server{server_name sms.www.aaa.com;   Listen 443;   Index index.html index.htm index.php;   root/data0/htdocs/www.aaa.com;   SSL on;   Ssl_certificate WWW.AAA.COM.CRT;   Ssl_certificate_key Www.aaa.com_nopass.key; ......}

Although the self-issued SSL certificate can implement the encrypted transfer function, but cannot get the trust of the browser, the following prompt appears:

2. STARTSSL free SSL Certificate trusted by the browser:

Startssl (website: http://www.startssl.com, company name: startcom) is also a CA agency whose root certificates have long been supported by browsers with open-source backgrounds (Firefox browser, Google Chrome browser, Apple Safari Browser, etc.).

In September of this year, Startssl unexpectedly took care of Microsoft: Microsoft in the upgrade patch, updated the Windows root certification program (Windows root Certificate programs) vendor list, and for the first time StartCom company included in the certification list , this is the first time Microsoft will provide free digital authentication technology to the vendors to join the root certificate certification list. Now, in Windows 7 or the Windows Vista or Windows XP operating system with the upgrade patches installed, the system will fully trust digital certificates certified by startcom, a free digital certification authority, so that STARTSSL is also supported by IE browsers.

After registering as a Startssl (http://www.startssl.com) User and verifying the message, you can request a free, trusted SSL certificate. The steps are complex and are not described in detail, the main steps of the Application Wizard are as follows:

Apply for a free SSL certificate to http://www.startssl.com.

Download the Www.aaa.com.zip file, unzip the file, find the for nginx.zip extract, get 2 files

1_WWW.AAA.COM_BUNDLE.CRT, 2_www.aaa.com.key

Change to a name Www.aaa.com.crt,www.aaa.com.key to the server for backup.

Nginx Configure SSL Certificate deployment HTTPS support

Locate the corresponding server

Increase

Listen 443 Ssl;ssl On;ssl_certificate/usr/local/nginx/conf/ssl/www.aaa.com.crt;ssl_c Ertificate_key/usr/local/nginx/conf/ssl/www.aaa.com.key;ssl_session_timeout 5m;ssl_protocols TLSv1 TLSv 1.1 Tlsv1.2;ssl_ciphers all:! Adh:! Export56:rc4+rsa:+high:+medium:+low:+sslv2:+exp;ssl_prefer_server_ciphers on;

Re-loading Nginx configuration

#/etc/init.d/nginx Reload

The browser trusted https://www.aaa.com is already available ~

Convert PFX to Nginx required Crt,key

If you already have a certificate with a PFX extension, you need to convert the

# OpenSSL pkcs12-in www.aaa.com.pfx-nocerts-nodes-out www.aaa.com.keyEnter Import Password: Enter the certificate password Mac verified OK # OpenSSL pkcs12-in www.aaa.com.pfx-clcerts-nokeys-out www.aaa.com.crtEnter Import Password: Enter the certificate password Mac verified OK

Generate 2 files Www.aaa.com.key, www.aaa.com.pfx Copy to the directory you specified

This article is from the "practice of Knowledge" blog, please be sure to keep this source http://m51cto.blog.51cto.com/53087/1966129

Nginx Configuration free SSL Certificate supports HTTPS secure access