The previous essay generated KeyStore and configured HTTPS for Tomcat through Keytool, this essay records how to configure HTTPS for Nginx. If the NGINX is configured with HTTPS, then Tomcat will not need to configure HTTPS anymore.
Generate a self-signed certificate by following three steps
# Generate a key, your private key, OpenSSL will prompt you to enter a password, you can enter, you can not lose,
# Enter the words, each time you use this key to enter the password, security, or there should be a password protection
> OpenSSL genrsa-des3-out selfsign.key 4096
# Use the key generated above to generate a certificate signing request (CSR)
# If your key is password protected, OpenSSL will first ask for your password and then ask you a series of questions,
# where common name (CN) is the most important, it represents your certificate to represent the target, if you apply for the website certificate, you need to add your domain name.
> OpenSSL req-new-key selfsign.key-out SELFSIGN.CSR
# Generate self Signed certificate SELFSIGN.CRT is the certificate we generated.
> OpenSSL x509-req-days 365-in selfsign.csr-signkey selfsign.key-out selfsign.crt
Nginx configuration HTTPS simple, with the Nginx SSL module can be added configuration as follows:
#https默认端口是443, not a.
listen 443;
#为一个server开启ssl支持
SSL on;
#为虚拟主机指定pem格式的证书文件
#ssl_certificate d:/keys/selfsign.crt;
#为虚拟主机指定私钥文件
#ssl_certificate_key D:/keys/selfsign.key;
Through the above can be accessed through the browser 443 port, the browser prompts the certificate is invalid, continue to access.
If you use your own client access, the prompt certificate is invalid, you need to add the certificate information to the client, and you need to add the San information when the certificate is generated.
The certificate is generated as follows:
1. The certificate generation configuration file san.conf is as follows:
[req]
distinguished_name = Req_distinguished_name
req_extensions = V3_req
[Req_distinguished_name]
countryname = Country Name (2 letter code)
Countryname_default = CN
stateorprovincename = State or province name (full name)
Stateorprovincename_default = Sichuan
localityname = Locality Name (eg, city)
Localityname_default = Chengdu
OrganizationName = Organization Name (eg, company)
Organizationname_default = xxxxx LTD
Organizationalunitname = organizational Unit Name (eg, section)
Organizationalunitname_default = xxxxxxx
commonname = Common name (e.g. server FQDN or YOUR name)
Commonname_default = *.xxxx.com
Commonname_max =
[V3_req]
Basicconstraints = Ca:true
SubjectAltName = @alt_names
[Alt_names]
#根据需要可以添加多个, I used the network IP in the test, has been prompted hostname not verified, and then add their own IP here can be
IP.1 = 192.168.140.11
IP.2 = 192.168.140.12
Dns.1 = www.xxxx.com
To generate a certificate directive:
# Generate the RSA key pair for the CA
OpenSSL genrsa-des3-out selfsign.key 4096
# Self-issuing CA certificate
OpenSSL req-new-x509-days 365-key selfsign.key-out selfsign.crt-extensions v3_req-config san.cnf
# View Certificate Contents
OpenSSL x509-in Selfsign.crt-noout-text
The Android Client Access HTTPS sample uses the Okhttp framework to WebView access to the HTTPS service. Address: Http://code.taobao.org/svn/learningtips/AndroidHttpsTest
Nginx configuration HTTPS and Android client access to self-signed certificate
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
