First, the HTTPS service must be built with an HTTPS certificate. This certificate can be viewed as an application-level certificate. The reason for this is that the HTTPS certificate is generated based on the CA certificate. For official websites, CA certificates require a qualified third-party certification authority to apply for access. For some of our self-built small projects, you can use your own server self-signed CA certificate. This type of certificate constructs an HTTPS service that, when accessed, gives the browser an untrusted warning, ignoring its own project.
Reference text: "53178897"
Self-signed CA certificate
The following commands, including all commands signed by the self-signed CA certificate and the HTTPS certificate, can be completed in the same directory.
1. Generate the CA private key
# OpenSSL Genrsa-des3-out Ca.key 2048
This command should ask you to enter a Ca.key corresponding encryption password. After entering the password you need to write down to use later.
2. Generate an unencrypted CA private key (not available)
# OpenSSL Genrsa-out Ca_decrypted.key 2048
3. Generate CA public key, CA root certificate
# OpenSSL req-new-x509-days 3650-key ca.key-out ca.crt
After entering the command, you will need to enter some information about the surrounding of the certificate. such as the location of the certification authority, organization name, etc. Here can all go directly to not fill in, the only thing to note is the common Name column. In order to follow the smooth operation, according to my existing practice will be here to fill in the host name or host IP.
Generate an HTTPS certificate and sign with the CA certificate
When generating an HTTPS certificate, you need to specify the hostname or host IP, which is the one that was entered when the CA root certificate was generated.
1. Generate the HTTPS certificate private key
# OpenSSL Genrsa-des3-out Xxxx.pem 1024
The xxxx here refers to the above-mentioned hostname or host IP. The following is similar to not repeating the instructions
2. Generate an unencrypted HTTPS host Certificate private key (not available)
# OpenSSL rsa-in xxxx.pem-out Xxxx.key
3. Generating a signature request
# OpenSSL Req-new-key xxxx.pem-out XXXX.CSR
4. Signing with a CA
# OpenSSL Ca-policy policy_anything-days 3650-cert ca.crt-keyfile ca.key-in xxxx.csr-out xxxx.crt
Where the policy parameter allows signed CAs and web site certificates to have different countries, place names and other information, the days parameter is the signature time limit.
At the time of signature, it's likely to come across
I am Unable to access the/etc/pki/ca/newcerts directory
/etc/pki/ca/newcerts:permission denied
The error. This is mainly because the user who is currently executing the signature is not root and OpenSSL needs to place some of the CA-related information files in the/etc/pki/ca root directory. To resolve this problem, you can use the root user to modify the Dir configuration item in the/etc/pki/tls/openssl.cnf file. The default value for this configuration is/ETC/PKI/CA, as long as you change to./ca.
And then go back to the previous directory where the HTTPS certificate was generated, do the following
# mkdir-p Ca/newcerts
# Touch Ca/index.txt
# echo ' ca/serial ' >
Then run the command that you just signed with the CA again.
Configure Nginx
In the Nginx server configuration block (or create a new server configuration block), modify or add the following:
Listen 443;ssl On;ssl_certificate/path/to/xxxx.crt;ssl_certificate_key/path/to/xxxx.key;
Keepalive_timeout 70;
The last item, which is said to be an optimization item, can be added without adding.
There are also two optimizations that can be added to the http{} configuration block:
Ssl_session_cache Shared:ssl:10m;ssl_session_timeout 10m;
After the modification is complete, you can use the NGINX-T command to check the configuration file format correctly.
If the error says unknown directive SSL, the main reason is that Nginx did not compile and install the SSL part of the module in the compilation. The solution is to find the then Nginx source package directory (or new download a line)
After entering the./configure--with-http_ssl_module recompile and make. Be careful notto make the install, at which point the install will overwrite the current Nginx and related configuration files!
Then replace the Objs/nginx executable file in the source package directory with the current Nginx executable file in the system. (note Backup)
Then in the nginx-t should be able.
"https" self-signed CA certificate && nginx configuration HTTPS Service