【内网自制无需密码的SSL证书--适用与IP或者localhost】

news2024/11/26 1:32:35

内网自制无需密码的SSL证书--适用与IP或者localhost

- 前言
- 步骤
- - 确认是否安装openssl
  - 自制CA私钥
  - 自制csr文件
  - 免除密码
  - 自制CA证书
- 验证

前言

搞半死，原来这么简单，今天就把教程分享给大家，本文基于CentOS7环境的openssl生成SSL自制证书，在nginx上测试通过

步骤

确认是否安装openssl

[root@localhost ssl]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

自制CA私钥

[root@localhost ssl]# openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
...........+++
................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

这里需要输入一个大于四位数的密码，自己记住就行

自制csr文件

[root@localhost ssl]# openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456
An optional company name []:
[root@localhost ssl]#

这里需要你验证刚才输入的密码

然后要求输入一系列信息，可以都不输入，一路回车到结束即可

免除密码

[root@localhost ssl]# openssl rsa -in server.key -out nginx.key
Enter pass phrase for server.key:
writing RSA key
[root@localhost ssl]# ll
总用量 12
-rw-r--r--. 1 root root 1675 7月  19 11:07 nginx.key
-rw-r--r--. 1 root root 1102 7月  19 11:07 server.csr
-rw-r--r--. 1 root root 1743 7月  19 11:06 server.key

会要求你验证前面定义过的密码，另外生成key文件nginx.key是无密码的，可用于下一步签证

自制CA证书

[root@localhost ssl]# openssl x509 -req -days 36500 -in server.csr -signkey nginx.key -out nginx.crt
Signature ok
subject=/C=CN/ST=Fujian/L=Fuzhou/O=fzkcy/OU=fzkcy/CN=localhost/emailAddress=fzkcy@fzkcy.com
Getting Private key
[root@localhost ssl]# ll
总用量 16
-rw-r--r--. 1 root root 1281 7月  19 11:08 nginx.crt
-rw-r--r--. 1 root root 1675 7月  19 11:07 nginx.key
-rw-r--r--. 1 root root 1102 7月  19 11:07 server.csr
-rw-r--r--. 1 root root 1743 7月  19 11:06 server.key
[root@localhost ssl]#

验证

拷贝生成的nginx.crt和nginx.key两个文件到/etc/nginx/ssl目录下
在这里插入图片描述
修改/etc/nginx/nginx.conf文件，加入一下配置：

	server {
		listen 443 ssl;
		server_name localhost;
		client_max_body_size 500M;

		ssl_certificate      /etc/nginx/ssl/nginx.crt;
		ssl_certificate_key  /etc/nginx/ssl/nginx.key;
		ssl_session_cache    shared:SSL:1m;
		ssl_session_timeout  5m;
		ssl_ciphers  HIGH:!aNULL:!MD5;
		ssl_prefer_server_ciphers  on;
		error_page  497  https://$host:443$uri;

		add_header X-Frame-Options SAMEORIGIN always;
		add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
		add_header X-Content-Type-Options nosniff;
		add_header X-Download-Options "noopen" always;
		add_header X-Permitted-Cross-Domain-Policies  "master-only";
		add_header 'Referrer-Policy' 'origin';
		add_header X-Xss-header  "1;mode=block";
		add_header Content-Security-Policy "script-src * 'unsafe-inline' 'unsafe-eval'";
	}

看到这个页面，就表示成功了！
在这里插入图片描述