1. 安裝openssl
apt update
apt install openssl
2. 生成證書
1. CA證書
- 創(chuàng)建私鑰
openssl genrsa -out ca-key.pem 1024
- 創(chuàng)建
csr證書請求
openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=CA"
- 生成
crt證書
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -days 3650
2. 服務(wù)器端證書
- 創(chuàng)建服務(wù)器端私鑰
openssl genrsa -out server-key.pem 1024
- 創(chuàng)建服務(wù)器端
csr證書
openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=*.fish-test.com"
- 生成服務(wù)器端
crt證書
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
3. 客戶端證書
- 創(chuàng)建客戶端私鑰
openssl genrsa -out client-key.pem 1024
- 創(chuàng)建客戶端
csr證書
openssl req -new -out client-req.csr -key client-key.pem -subj "/C=CN/ST=BJ/L=BJ/O=fish/OU=fish/CN=dong"
- 生成客戶端
crt證書
openssl x509 -req -in client-req.csr -out client-cert.pem -signkey client-key.pem -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
3. nginx使用https
我這里使用到兩個(gè)服務(wù)端證書server-cert.pem和server-key.pem
放在文件夾/opt/nginx/ssl下
全局搜索443贫奠,定位到文件/etc/nginx/sites-available/default
修改文件
# 以下兩行默認(rèn)被注釋了氮双,取消注釋
listen 443 ssl default_server;
listen [::]:443 ssl default_server;
# 新增以下兩行阅爽,證書文件需要自己生成
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;
這樣子nginx就支持https服務(wù)了展融,在需要的server調(diào)用即可
原來的http穆碎,配置文件如下
server{
listen 20006 ;
server_name _;
location / {
root /opt/item/dist;
index index.html;
error_page 404 /index.html;
}
}
修改為https戳玫,配置文件如下
server{
listen 20006 ;
listen 443 ssl;
ssl on;
ssl_certificate /opt/nginx/ssl/server-cert.pem;
ssl_certificate_key /opt/nginx/ssl/server-key.pem;
server_name _;
location / {
root /opt/item/dist;
index index.html;
error_page 404 /index.html;
}
}
