Home > Developer > Web Develop

Nginx configuration https-Free self-signed CA certificate

Source: Internet
Author: User
Tags openssl rsa
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

I. Configuring HTTPS and self-signed certificates for Nginx
1. Making CA Certificate
Ca.key CA Private Key:
OpenSSL genrsa-des3-out Ca.key 2048
Make the decrypted CA private key (which is generally not necessary):
OpenSSL rsa-in ca.key-out Ca_decrypted.key
CA.CRT CA Root certificate (public key):
OpenSSL req-new-x509-days 7305-key ca.key-out ca.crt
2. Make the certificate of generating website and certify with CA signature
Here, suppose the site domain name is blog.creke.net
Generate the Blog.creke.net certificate private key:
OpenSSL genrsa-des3-out Blog.creke.net.pem 2048
Make the decrypted blog.creke.net certificate private key ( Note: In Nginx configuration, Nginx supports the decrypted format .):
OpenSSL rsa-in blog.creke.net.pem-out Blog.creke.net.key
To generate a signature request:
OpenSSL Req-new-key blog.creke.net.pem-out BLOG.CREKE.NET.CSR
In common name fill in the site domain name, such as blog.creke.net can generate the certificate for the site, while * You can also use a generic domain name such as. creke.net to generate a Web site certificate that is available for all level two domains .
To sign with a CA:
OpenSSL ca-policy policy_anything-days 1460-cert ca.crt-keyfile ca.key-in blog.creke.net.csr-out blog.creke.net.crt
Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.
If the signature command is executed, the"I am unable to access the. /.. /ca/newcerts directory "
Modify/etc/pki/tls/openssl.cnf in "DIR =./ca"
And then:
Mkdir-p Ca/newcerts
Touch Ca/index.txt
Touch ca/serial
echo "Ca/serial" >
Then re-execute the signing command.
Finally,Paste the contents of the ca.crt behind the BLOG.CREKE.NET.CRT. This is more important! * * Because you do not, there may be some browsers that are not supported.
OK, now HTTPS needs to use the website private key Blog.creke.net.key and website certificate blog.creke.net.crt are ready to complete. Next, start configuring the service side.

Second, the configuration Nginx
server {
Listen 443 SSL;
server_name blog.creke.net;
Keepalive_timeout 70;

ssl_certificate     blog.creke.net.crt;  //网站证书存放的路径ssl_certificate_key blog.creke.net.key;  //网站私钥存放的路径ssl_session_cache   shared:SSL:10m;ssl_session_timeout 5m;ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_ciphers         HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;...

}

Third, detection configuration and reload Nginx configuration
Detection configuration:
Nginx-t
Reload:
Nginx-s Reload

Iv. QA
Sometimes, you will find that when the phpMyAdmin and other programs log in, it will mistakenly jump to the HTTP problem. The solution is to locate the location ~. *. (PHP|PHP5) ${} "in the include fcgi.conf, or after the Fastcgi_param configuration, add:
Fastcgi_param HTTPS on;
Fastcgi_param Http_scheme HTTPS;
Here is the official Nginx document on HTTPS, can be used as a reference.

Nginx configuration https-Free self-signed CA certificate

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
https self signed certificate free ca certificate generator self signed wildcard certificate make self signed certificate renew self signed certificate self signed certificate security self signed certificate trusted

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More