Nginx configuration https-Free self-signed CA certificate

Source: Internet
Author: User
Tags openssl rsa

I. Configuring HTTPS and self-signed certificates for Nginx
1. Making CA Certificate
Ca.key CA Private Key:
OpenSSL genrsa-des3-out Ca.key 2048
Make the decrypted CA private key (which is generally not necessary):
OpenSSL rsa-in ca.key-out Ca_decrypted.key
CA.CRT CA Root certificate (public key):
OpenSSL req-new-x509-days 7305-key ca.key-out ca.crt
2. Make the certificate of generating website and certify with CA signature
Here, suppose the site domain name is blog.creke.net
Generate the Blog.creke.net certificate private key:
OpenSSL genrsa-des3-out Blog.creke.net.pem 2048
Make the decrypted blog.creke.net certificate private key ( Note: In Nginx configuration, Nginx supports the decrypted format .):
OpenSSL rsa-in blog.creke.net.pem-out Blog.creke.net.key
To generate a signature request:
OpenSSL Req-new-key blog.creke.net.pem-out BLOG.CREKE.NET.CSR
In common name fill in the site domain name, such as blog.creke.net can generate the certificate for the site, while * You can also use a generic domain name such as. creke.net to generate a Web site certificate that is available for all level two domains .
To sign with a CA:
OpenSSL ca-policy policy_anything-days 1460-cert ca.crt-keyfile ca.key-in blog.creke.net.csr-out blog.creke.net.crt
Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.
If the signature command is executed, the
"I am unable to access the. /.. /ca/newcerts directory "
Modify/etc/pki/tls/openssl.cnf in "DIR =./ca"
And then:
Mkdir-p Ca/newcerts
Touch Ca/index.txt
Touch ca/serial
echo "Ca/serial" >
Then re-execute the signing command.
Finally,
Paste the contents of the ca.crt behind the BLOG.CREKE.NET.CRT. This is more important! * * Because you do not, there may be some browsers that are not supported.
OK, now HTTPS needs to use the website private key Blog.creke.net.key and website certificate blog.creke.net.crt are ready to complete. Next, start configuring the service side.

Second, the configuration Nginx
server {
Listen 443 SSL;
server_name blog.creke.net;
Keepalive_timeout 70;

ssl_certificate     blog.creke.net.crt;  //网站证书存放的路径ssl_certificate_key blog.creke.net.key;  //网站私钥存放的路径ssl_session_cache   shared:SSL:10m;ssl_session_timeout 5m;ssl_protocols       TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;ssl_ciphers         HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;...

}

Third, detection configuration and reload Nginx configuration
Detection configuration:
Nginx-t
Reload:
Nginx-s Reload

Iv. QA
Sometimes, you will find that when the phpMyAdmin and other programs log in, it will mistakenly jump to the HTTP problem. The solution is to locate the location ~. *. (PHP|PHP5) ${} "in the include fcgi.conf, or after the Fastcgi_param configuration, add:
Fastcgi_param HTTPS on;
Fastcgi_param Http_scheme HTTPS;
Here is the official Nginx document on HTTPS, can be used as a reference.

Nginx configuration https-Free self-signed CA certificate

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.