CentOS 7 搭建CA认证中心实现https取证
TLS:传输层安全协议 Transport Layer Security的缩写
SSL:安全套接字层 Secure Socket Layer的缩写
TLS与SSL对于不是专业搞安全的开发人员来讲,可以认为是差不多的,这二者是并列关系,详细差异见 http://kb.cnblogs.com/page/197396/
KEY 通常指私钥。
CSR 是Certificate Signing Request的缩写,即证书签名请求,这不是证书,可以简单理解成公钥,生成证书时要把这个提交给权威的证书颁发机构。
CRT 即 certificate的缩写,即证书。
X.509 是一种证书格式.对X.509证书来说,认证者总是CA或由CA指定的人,一份X.509证书是一些标准字段的集合,这些字段包含有关用户或设备及其相应公钥的信息。
X.509的证书文件,一般以.crt结尾,根据该文件的内容编码格式,可以分为以下二种格式:
PEM - Privacy Enhanced Mail,打开看文本格式,以"-----BEGIN..."开头, "-----END..."结尾,内容是BASE64编码.
Apache和*NIX服务器偏向于使用这种编码格式.
DER - Distinguished Encoding Rules,打开看是二进制格式,不可读.
Java和Windows服务器偏向于使用这种编码格式
OpenSSL 相当于SSL的一个实现,如果把SSL规范看成OO中的接口,那么OpenSSL则认为是接口的实现。接口规范本身是安全没问题的,但是具体实现可能会有不完善的地方,比如之前的"心脏出血"漏洞,就是OpenSSL中的一个bug.
OpenSSL
是一个开源项目,其组成主要包括一下三个组件:
-
openssl
:多用途的命令行工具 -
libcrypto
:加密算法库 -
libssl
:加密模块应用库,实现了ssl及tls
openssl
可以实现:秘钥证书管理、对称加密和非对称加密更多简介和官网。
指令
平时我们使用openssl
最多的莫过于使用指令了,而最为常见的几个指令如下:
-
genrsa
生成RSA参数 req
x509
rsa
ca
genrsa
简介
平时主要用来生成私钥,选择使用的算法、对称加密密码和私钥长度来生成私钥。
基本用法:
openssl genrsa [args] [numbits]
其中常见的参数:【更多参数查看:openssl genrsa -help】
args1 对生成的私钥文件是否要使用加密算法进行对称加密:
-des : CBC模式的DES加密
-des3 : CBC模式的3DES加密
-aes128 : CBC模式的AES128加密
-aes192 : CBC模式的AES192加密
-aes256 : CBC模式的AES256加密
args2 对称加密密码
-passout passwords
其中passwords为对称加密(des、3des、aes)的密码(使用这个参数就省去了console交互提示输入密码的环节)
args3 输出文件
-out file : 输出证书私钥文件
[numbits]: **长度,理解为私钥长度
生成一个2048位的RSA私钥,并用des3加密(密码为123456),保存为server.key文件
openssl genrsa -des3 -passout pass:123456 -out server.key 1024
// -des3 是第一个参数args1;
// -passout pass:123456 是第二个参数写法 args2
// -out server.key 第三个参数args3;
// 2048 最后一个[numbits]参数
req
req
的基本功能主要有两个:生成证书请求和生成自签名证书,当然这并不是其全部功能,但是这两个最为常见;
常见使用方法:
openssl req [args] outfile
主要参数:【更多参数查看:openssl req -help】
args1 是输入输入文件格式:-inform arg
-inform DER 使用输入文件格式为DER
-inform PEM 使用输入文件格式为PEM
args2 输出文件格式:-outform arg
-outform DER 使用输出文件格式为DER
-outform PEM 使用输出文件格式为PEM
args3 是待处理文件
-in inputfilepath
args4 待输出文件
-out outputfilepath
args5 用于签名待生成的请求证书的私钥文件的解密密码
-passin passwords
args6 用于签名待生成的请求证书的私钥文件
-key file
args7指定输入**的编码格式 -keyform arg
-keyform DER
-keyform NET
-keyform PEM
args8 生成新的证书请求
-new
args9输出一个X509格式的证书,签名证书时使用
-x509
args10使用X509签名证书的有效时间
-days // -days 3650 有效期10年
args11生成一个bits长度的RSA私钥文件,用于签发【生成私钥、并生成自签名证书】
-newkey rsa:bits
args12设置HASH算法-[digest]【生成私钥指定的hash摘要算法】
-md5
-sha1 // 高版本浏览器开始不信任这种算法
-md2
-mdc2
-md4
args13指定openssl配置文件,很多内容不容易通过参数配置,可以指定配置文件
-config filepath
args14 显示格式txt【用于查看证书、私钥信息】
-text
使用的案例:利用私钥生成证书请求csr
openssl req -new -key server.key -out server.csr
使用案例:利用私钥生成自签名证书
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
x509
x509
是一个功能很丰富的证书处理工具。可以用来显示证书的内容,转换其格式,给CSR签名等X.509证书的管理工作;
用法如下:
openssl x509 [args]
参数如下:【更多参数查看:openssl x509 -help】
args1 是输入输入文件格式:-inform arg
-inform DER 使用输入文件格式为DER
-inform PEM 使用输入文件格式为PEM
args2 输出文件格式:-outform arg
-outform DER 使用输出文件格式为DER
-outform PEM 使用输出文件格式为PEM
args3 是待处理X509证书文件
-in inputfilepath
args4 待输出X509证书文件
-out outputfilepath
args5表明输入文件是一个"请求签发证书文件(CSR)",等待进行签发
-req
args6签名证书的有效时间
-days // -days 3650 有效期10年
args7 指定用于签发请求证书的根CA证书
-CA arg
args8 根CA证书格式(默认是PEM)
-CAform arg
args9 指定用于签发请求证书的CA私钥证书文件
-CAkey arg
args10 指定根CA私钥证书文件格式(默认为PEM格式)
-CAkeyform arg
args11 指定***文件(serial number file)
-CAserial arg
args12 如果***文件(serial number file)没有指定,则自动创建它
-CAcreateserial
args13设置HASH算法-[digest]【生成私钥指定的hash摘要算法】
-md5
-sha1 // 高版本浏览器开始不信任这种算法
-md2
-mdc2
-md4
使用实例: 使用根CA证书[ca.crt]和私钥[ca.key]对"请求签发证书"[server.csr]进行签发,生成x509格式证书
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out serverx509.crt
使用实例:
rsa
ca
自签名过程
chrome自签名证书问题
hash/摘要算法sha1的不安全性
Google官方博客宣布,将在Chrome浏览器中逐渐降低SHA-1证书的安全指示。但有意思的是Google.com目前使用的也是SHA-1签名的证书,但证书将在3个月内过期,Google将从2015年起使用SHA-2签名的证书。SHA-1算法目前尚未发现严重的弱点,但伪造证书所需费用正越来越低。
chrome提示缺失subjectAltName问题
原有的简单自签名证书在chrome里面不好使了,提示 missing_subjectAltName
missing_subjectAltName问题解决;
参考1:openssl详解
参考3:openssl介绍
参考2:自签名证书实践
CA认证中心简述
CA :CertificateAuthority的缩写,通常翻译成认证权威或者认证中心,主要用途是为用户发放数字证书
功能:证书发放、证书更新、证书撤销和证书验证。
作用:身份认证,数据的不可否认性
端口:443
证书请求文件:CSR是Cerificate Signing Request的英文缩写,即证书请求文件,也就是证书申请者在申请数字证书时由CSP(加密服务提供者)在生成私钥的同时也生成证书请求文件,证书申请者只要把CSR文件提交给证书颁发机构后,证书颁发机构使用其根证书的私钥签名就生成了证书文件,也就是颁发给用户的证书
一:搭建CA认证中心
配置一个自己的CA认证中心
准备:客户端centos7.7 服务端Centos7.7
准备工作
在服务端Centos7.7上面操作
/etc/pki/CA/index.txt 跟踪已颁发的证书,初始为空。注意是0字节,不然会报出一个错误。 wrong number of fields on line 1 (looking for field 6, got 1, '' left)
/etc/pki/CA/serial文件,最后一次颁发的证书的***,初始值01,也可以是00等其它值。
-
touch /etc/pki/CA/index.txt
-
echo 01 > /etc/pki/CA/serial
openssl.1.0.2k-19.el7
[aaa@qq.com CA]# cat ../tls/openssl.cnf
#
# OpenSSL example configuration file.
# This is mostly being used for generation of certificate requests.
#
# This definition stops the following lines choking if HOME isn't
# defined.
HOME = .
RANDFILE = $ENV::HOME/.rnd
# Extra OBJECT IDENTIFIER info:
#oid_file = $ENV::HOME/.oid
oid_section = new_oids
# To use this configuration file with the "-extfile" option of the
# "openssl x509" utility, name here the section containing the
# X.509v3 extensions to use:
# extensions =
# (Alternatively, use a configuration file that has only
# X.509v3 extensions in its main [= default] section.)
[ new_oids ]
# We can add new OIDs in here for use by 'ca', 'req' and 'ts'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Policies used by the TSA examples.
tsa_policy1 = 1.2.3.4.1
tsa_policy2 = 1.2.3.4.5.6
tsa_policy3 = 1.2.3.4.5.7
####################################################################
[ ca ]
default_ca = CA_default # The default ca section
####################################################################
[ CA_default ]
#dir = /etc/pki/CA # Where everything is kept
dir = .
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
#unique_subject = no # Set to 'no' to allow creation of
# several ctificates with same subject.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
crlnumber = $dir/crlnumber # the current crl number
# must be commented out to leave a V1 CRL
crl = $dir/crl.pem # The current CRL
private_key = $dir/private/cakey.pem# The private key
RANDFILE = $dir/private/.rand # private random number file
x509_extensions = usr_cert # The extentions to add to the cert
# Comment out the following two lines for the "traditional"
# (and highly broken) format.
name_opt = ca_default # Subject Name options
cert_opt = ca_default # Certificate field options
# Extension copying option: use with caution.
# copy_extensions = copy
# Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
# so this is commented out by default to leave a V1 CRL.
# crlnumber must also be commented out to leave a V1 CRL.
# crl_extensions = crl_ext
default_days = 365 # how long to certify for
default_crl_days= 30 # how long before next CRL
default_md = sha256 # use SHA-256 by default
preserve = no # keep passed DN ordering
# A few difference way of specifying how similar the request should look
# For type CA, the listed attributes must be the same, and the optional
# and supplied fields are just that :-)
policy = policy_match
# For the CA policy
[ policy_match ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
# For the 'anything' policy
# At this point in time, you must list all acceptable 'object'
# types.
[ policy_anything ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
####################################################################
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert
# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret
# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only
# req_extensions = v3_req # The extensions to add to a certificate request
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = cn
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = beijing
localityName = Locality Name (eg, city)
localityName_default = beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = superred
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = linux
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_default = aaa@qq.com
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ req_attributes ]
challengePassword = A challenge password
challengePassword_min = 4
challengePassword_max = 20
unstructuredName = An optional company name
[ usr_cert ]
# These extensions are added when 'ca' signs a request.
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
#basicConstraints=CA:FALSE
basicConstraints=CA:TRUE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
[ v3_ca ]
# Extensions for a typical CA
# PKIX recommendation.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer
# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true
# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign
# Some might want this also
# nsCertType = sslCA, emailCA
# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy
# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF
[ crl_ext ]
# CRL extensions.
# Only issuerAltName and authorityKeyIdentifier make any sense in a CRL.
# issuerAltName=issuer:copy
authorityKeyIdentifier=keyid:always
[ proxy_cert_ext ]
# These extensions should be added when creating a proxy certificate
# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.
basicConstraints=CA:FALSE
# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.
# This is OK for an SSL server.
# nsCertType = server
# For an object signing certificate this would be used.
# nsCertType = objsign
# For normal client use this is typical
# nsCertType = client, email
# and for everything including object signing:
# nsCertType = client, email, objsign
# This is typical in keyUsage for a client certificate.
# keyUsage = nonRepudiation, digitalSignature, keyEncipherment
# This will be displayed in Netscape's comment listbox.
nsComment = "OpenSSL Generated Certificate"
# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer
# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move
# Copy subject details
# issuerAltName=issuer:copy
#nsCaRevocationUrl = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName
# This really needs to be in place for it to be a proxy certificate.
proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo
####################################################################
[ tsa ]
default_tsa = tsa_config1 # the default TSA section
[ tsa_config1 ]
# These are used by the TSA reply generation only.
dir = ./demoCA # TSA root directory
serial = $dir/tsaserial # The current serial number (mandatory)
crypto_device = builtin # OpenSSL engine to use for signing
signer_cert = $dir/tsacert.pem # The TSA signing certificate
# (optional)
certs = $dir/cacert.pem # Certificate chain to include in reply
# (optional)
signer_key = $dir/private/tsakey.pem # The TSA private key (optional)
default_policy = tsa_policy1 # Policy if request did not specify it
# (optional)
other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional)
digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory)
accuracy = secs:1, millisecs:500, microsecs:100 # (optional)
clock_precision_digits = 0 # number of digits after dot. (optional)
ordering = yes # Is ordering defined for timestamps?
# (optional, default: no)
tsa_name = yes # Must the TSA name be included in the reply?
# (optional, default: no)
ess_cert_id_chain = no # Must the ESS cert id chain be included?
# (optional, default: no)
开始, 切换工作路径为/etc/pki/tls方便openssl文件引入。
[aaa@qq.com ~]# vim /etc/pki/tls/openssl.cnf + basicConstraints=CA:FALSE # 把FALSE改成TRUE 把本机变成CA认证中心
配置认证中心,生成私钥与根证书
[aaa@qq.com CA]# pwd
/etc/pki/CA
[aaa@qq.com CA]# ls
certs crl index.txt newcerts private serial
第一中方式:
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -newca^C
[aaa@qq.com CA]#
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -h
usage: /etc/pki/tls/misc/CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify
[aaa@qq.com CA]# /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)
Making CA certificate ...
Generating a 2048 bit RSA private key
..+++
..................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojihub.com
Email Address [aaa@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Jun 2 02:07:06 2020 GMT
Not After : Jun 2 02:07:06 2023 GMT
Subject:
countryName = cn 国家
stateOrProvinceName = beijing 省
organizationName = superred 组织/公司
organizationalUnitName = linux 组织结构,部门
commonName = www.kojihub.com CN,最好写域名FQDN类型的全域名 hostname -f 查看FQDN全域名,配置全域名 1.cat /etc/sysconfig/network
NETWORKING=yes
HOSTNAME=kojihub
2.cat /etc/hosts
10.10.3.161 www.kojihub.com kojihub
emailAddress = aaa@qq.com
X509v3 extensions:
X509v3 Subject Key Identifier:
45:DC:45:10:24:27:81:57:A1:66:FD:96:FA:C1:A1:82:0F:57:DB:32
X509v3 Authority Key Identifier:
keyid:45:DC:45:10:24:27:81:57:A1:66:FD:96:FA:C1:A1:82:0F:57:DB:32
X509v3 Basic Constraints:
CA:TRUE
Certificate is to be certified until Jun 2 02:07:06 2023 GMT (1095 days)
Write out database with 1 new entries
Data Base Updated
生成的结构
[aaa@qq.com CA]# ls
cacert.pem careq.pem certs crl index.txt index.txt.attr index.txt.old newcerts private serial serial.old
[aaa@qq.com CA]# cat index.txt
V 230602021836Z 01 unknown /C=cn/ST=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
V:代表可用
R:代表注销,不可用
[aaa@qq.com CA]# cat serial
02
[aaa@qq.com CA]# ls private/
cakey.pem
/etc/pki/CA/cacert.pem:ca服务器的ca根证书
/etc/pki/CA/private/cakey.pem:ca服务器的私钥
/etc/pki/CA/careq.pem:ca服务器跟证书的请求文件
第二中方式: 本人经常用第二种方式
cd /etc/pki/koji/
mkdir {certs,private,confs}
touch index.txt
echo 01 > serial
cp /etc/pki/tls/openssl.cnf /etc/pki/koji/ssl.cnf
1.生成ca服务器的ca私钥:openssl genrsa -out private/koji_ca_cert.key 2048
2.利用1中的ca私钥生成ca自签名根证书:openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca
上面的最后一个命令将要求您确认有关所生成证书的许多项目。大概您已经在文件中编辑了国家,州/省,地区和组织的默认值,并且ssl.cnf
只需要按Enter键即可。这是我们将在创建的各种证书中更改的组织单位和通用名称。对于CA本身,这些字段没有硬性要求。此证书的一个建议是使用服务器的FQDN。
如果您尝试通过配置管理工具自动执行此过程,则可以在一个命令中使用如下一行创建证书:
openssl req -config ssl.cnf -new -x509 \
-subj "/C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com" \
-days 3650 -key private/koji_ca_cert.key -out koji_ca_cert.crt -extensions v3_ca
也可以转换成pem根式的
cat certs/koji_ca_cert.crt private/koji_ca_cert.key > koji_ca_cert.pem
第三种方式:
1、先在服务端上的/etc/pki/CA/目录生成rsa的私钥:
[aaa@qq.com CA]# pwd;ls
/etc/pki/CA
certs crl index.txt newcerts private serial
[aaa@qq.com CA]# cd private/
[aaa@qq.com private]# ls
[aaa@qq.com private]# (umask 077;openssl genrsa -out cakey.pem 4096)
Generating RSA private key, 4096 bit long modulus
.......................................................................................................................................++
.......................................................................................................................................................................................................++
e is 65537 (0x10001)
[aaa@qq.com private]# ll
total 4
-rw-------. 1 root root 3243 Jun 1 22:45 cakey.pem
2、在服务端上生成自签名证书
①
[aaa@qq.com CA]# pwd;ls
/etc/pki/CA
certs crl index.txt newcerts private serial
[aaa@qq.com CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojihub.com
Email Address [aaa@qq.com]:
[aaa@qq.com CA]# ll
total 8
-rw-r--r--. 1 root root 2139 Jun 1 22:47 cacert.pem
drwxr-xr-x. 2 root root 6 Aug 8 2019 certs
drwxr-xr-x. 2 root root 6 Aug 8 2019 crl
-rw-r--r--. 1 root root 0 Jun 1 22:44 index.txt
drwxr-xr-x. 2 root root 6 Jun 1 22:44 newcerts
drwxr-xr-x. 2 root root 23 Jun 1 22:45 private
-rw-r--r--. 1 root root 3 Jun 1 22:44 serial
②查看自签名证书的详细内容
[aaa@qq.com CA]# ls
cacert.pem certs crl index.txt newcerts private serial
[aaa@qq.com CA]# openssl x509 -in /etc/pki/koji/certs/kojiadmin.crt -noout -serial -subject
[aaa@qq.com CA]# openssl x509 -in cacert.pem -noout -text
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
9d:4a:2c:38:ae:35:f0:a3
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=cn, ST=beijing, L=beijing, O=superred, OU=linux, CN=www.kojihub.com/aaa@qq.com
Validity
Not Before: Jun 2 02:47:33 2020 GMT
Not After : Jun 2 02:47:33 2021 GMT
Subject: C=cn, ST=beijing, L=beijing, O=superred, OU=linux, CN=kojihub.supered.com/aaa@qq.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (4096 bit)
Modulus:
00:d8:a5:ea:05:34:11:75:fc:cd:89:87:2a:14:fa:
3c:0e:80:e4:95:02:bc:2a:77:41:f3:44:5b:20:5c:
6b:b3:f0:76:06:05:13:21:07:09:4c:f7:0e:27:2a:
15:d8:ec:c7:8d:30:2a:7a:ce:74:f9:b7:ff:22:ba:
1f:86:e1:05:ff:30:66:10:1d:eb:1f:45:ed:15:df:
15:bb:d8:f2:29:2d:4f:d0:32:3a:43:1c:38:87:0b:
e6:51:9b:b4:c1:10:b8:67:3c:fe:58:58:f9:55:e6:
5f:c5:85:71:92:ca:9b:b9:3a:f9:27:0b:9d:74:f6:
ad:9d:28:25:e1:ae:15:0f:8f:f6:f6:9a:ba:87:8b:
ab:69:ce:3e:eb:cf:68:51:2f:41:94:f3:16:e2:10:
6d:ae:eb:e5:0d:8d:55:04:1d:7b:7f:0d:c3:25:60:
58:10:5b:55:1a:ff:37:e6:c2:ea:bb:7b:fe:e7:1f:
a6:e8:63:d7:d2:aa:99:a1:e1:35:68:2b:02:70:8b:
52:1f:bd:87:dc:36:36:54:8d:58:3b:35:0c:9b:d3:
e6:cd:84:a1:2a:5d:a2:d2:ee:42:b2:ec:e5:9a:8a:
53:75:db:b1:b2:d8:09:69:09:9b:c4:c2:d5:8e:ce:
b4:5d:da:c3:c8:be:46:f6:df:f9:89:51:3e:09:1c:
80:61:d9:7d:9f:5a:4c:91:39:56:cf:e6:b9:57:54:
0b:f6:60:ce:23:2e:05:ee:85:2c:f2:fd:2e:23:2c:
69:5c:18:ab:89:e3:c2:21:1d:d8:34:6c:3e:ce:29:
67:c8:56:23:e2:ae:7f:46:cf:d1:1b:0b:4f:73:f2:
d1:44:e3:9d:50:ef:3c:83:68:72:78:2d:fd:cb:46:
7d:98:e3:4e:78:fe:6c:f8:d4:9e:28:d7:94:5c:1b:
a8:50:51:1d:70:a1:06:e5:8a:1b:7b:ae:01:2d:fe:
5f:2a:35:5f:04:af:46:b3:7f:3b:b4:fe:59:03:64:
d2:61:bb:e1:f9:e5:0d:70:61:09:2e:9e:fa:05:12:
40:fd:67:b8:c3:e1:f5:39:5a:4c:4c:e5:df:b2:a7:
e0:da:52:69:b6:32:80:cc:d9:33:de:14:b5:f0:24:
90:a2:4a:19:e8:c7:4d:00:d2:fa:9d:39:07:f0:d7:
73:52:55:c6:f6:3c:33:f1:e8:dc:a5:66:2a:da:e8:
8c:68:4a:91:c5:ea:05:14:ec:77:b3:b4:57:b6:c2:
93:ff:ef:55:3d:9f:ad:6e:12:c6:00:bc:07:e6:85:
36:8b:cc:af:77:cb:6f:e6:f3:7e:97:f6:db:b0:6a:
64:84:84:48:f2:8a:d2:b5:82:f2:7b:dc:d1:18:2e:
be:1c:95
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
2E:B4:54:9F:07:42:9A:EE:23:22:2C:AC:18:AD:5C:D2:B9:CD:2D:6E
X509v3 Authority Key Identifier:
keyid:2E:B4:54:9F:07:42:9A:EE:23:22:2C:AC:18:AD:5C:D2:B9:CD:2D:6E
X509v3 Basic Constraints:
CA:TRUE
Signature Algorithm: sha256WithRSAEncryption
83:1a:c7:7a:a5:5c:b9:36:de:2f:a9:75:0d:d6:73:e3:0d:99:
d6:c1:d7:8e:00:2a:23:3b:94:20:2f:12:25:6b:af:6d:88:68:
34:7f:05:38:3f:e3:19:fe:78:e5:60:b6:f5:f0:a2:6a:27:b4:
d6:1a:a5:53:d5:69:e7:40:e1:70:b6:6d:b4:88:a3:68:43:dc:
14:76:90:f0:7b:52:a2:b4:8a:51:68:62:8c:ae:dd:fe:57:72:
da:34:60:7a:31:86:3e:7f:da:27:72:c6:23:c8:3b:60:3a:41:
a7:6c:cd:7a:40:ee:2f:af:4d:61:79:13:38:ef:e6:1f:63:e9:
7c:32:ba:86:47:73:61:db:35:2c:8e:1e:98:f1:4a:3f:28:f0:
71:2f:bc:c7:1f:ae:9a:b2:4c:35:93:f7:7a:78:31:7b:09:a6:
34:4f:fe:9a:4a:c3:9a:05:4e:90:ef:1f:6a:c6:9e:68:27:8b:
66:2f:28:55:3a:16:e5:7f:c3:b2:8a:3b:9d:f3:76:55:9e:90:
6d:cc:ad:9b:3b:d6:7c:96:76:af:ae:21:6b:18:8d:ba:43:b1:
a0:4f:9d:be:03:2c:6f:df:8d:d2:b0:b6:c3:1b:e8:cb:3b:31:
a9:18:01:5a:6d:74:76:aa:0b:79:22:2e:61:f4:d6:2a:05:be:
aa:aa:bc:d7:c8:ea:73:45:61:d5:79:7b:4a:8f:6d:87:4a:ad:
ef:3b:85:d5:f7:96:48:ff:99:be:8e:6a:08:4e:ba:4b:b2:97:
80:d0:c6:e0:56:c3:0f:2e:68:02:a8:cf:13:03:f5:92:22:a8:
e8:8a:2e:5d:9a:a8:73:01:92:19:6d:1e:d7:91:d6:c5:4e:30:
bf:76:80:22:ad:0d:f6:99:1e:7c:9d:4b:8b:f2:04:32:d5:f5:
a7:5a:a7:14:49:53:49:48:d1:9e:4e:d1:14:27:92:af:cf:38:
1e:45:08:fc:cf:a6:c3:87:ae:83:92:44:dc:92:46:13:86:f6:
39:59:73:2c:1d:6a:0c:cc:12:1f:c3:41:6e:81:4c:61:37:02:
0e:4c:2e:4e:94:63:ac:ff:36:c5:95:ad:a0:28:88:7a:28:1a:
52:33:09:83:84:38:32:08:c0:9e:61:91:34:97:2c:3d:42:88:
8c:5a:77:a8:db:6b:ca:c7:51:d9:4f:91:e6:48:f3:12:da:6f:
48:89:79:83:db:31:05:fc:25:e3:5c:34:f1:f6:ab:72:2b:8e:
62:c1:21:93:9a:3e:75:7a:70:39:db:48:54:d7:65:73:9d:f9:
fa:a5:1c:30:c2:25:52:ba:03:4b:7c:42:44:fa:f3:ae:61:d1:
06:ed:4e:e4:10:7b:8f:8e
③ 查看自签名证书简要内容和查看证书的有效期
[aaa@qq.com CA]# openssl x509 -in cacert.pem -noout -issuer
issuer= /C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
[aaa@qq.com CA]#
在客户端Centos7.7上面操作
二:使用证书搭建https
1、安装httpd :
[aaa@qq.com ~]# yum -y install httpd
[aaa@qq.com ~]# vim /etc/httpd/conf/httpd.conf
// 把 #ServerName www.example.com:80 改成 ServerName www.kojiweb.com:80
[aaa@qq.com ~]# systemctl start httpd
2、client 生成证书请求文件
生一个私钥** :
[aaa@qq.com ~]# openssl genrsa -des3 -out /etc/httpd/conf.d/server.key 加密
[aaa@qq.com ~]# openssl genrsa -out /etc/httpd/conf.d/server.key 不加密
查看客户端私钥
[aaa@qq.com conf.d]# ls
autoindex.conf README server.key ssl.conf userdir.conf welcome.conf
[aaa@qq.com conf.d]# cat server.key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,087E1B2B7A2E837A 说明进行了二次加密
qmb6Q/XnVrJZVgfDezejjcuMElhdire7vUm5f2EodZc901oJTizB3yLTPhLI2KkF
upeCUsW6TSWkYEqv3IFXHMaEJGYu2qaKmkGEmmCglCmT198PXrHK8iHafbaehWRI
FTfltfBNOuBIE/8SiifigAWFbNyUL04beZSyDM+wLu0ExlzcFBg4IIz34dTixnA7
zAH4zs+gQ8bUEkNCHaSMiXuldBKGgoXOZ/RVFwrARUwAM3Cuv9/OZD3BEZ9DKNyr
ESHNLXp/qPI/BC4mrk3VTfgNTvjytgKH4R68inAaLRZL6HyPHiuCTVdSZ4tRe+4r
zQsMuSgjALFUAZN6cyfoVmlw2K3WQY9WouqztZ1QK8N7gaG6iazWUxIcfDl2P46Z
af2to4EZ6L3EdzIw6LfKQWjMZWPGqRYN4IMJAU3iGzT20hk9BPRPgWEbeln9XeEo
JU4LvRgMzmj710OgADRzhCmR/8INzHKLrwETZb3VKbrnLXN9jS5xH/9qRHRcQd5n
Xv7vAYtyKispeCaLkRM2/e3ENnYRZq0fsXZNyjRhEjDhw4YXNbxtuSKT5XoqZAv7
J909ENAyrnDXCmjvSH0CuDNvGlR/T1ZVPswVae6yqgPqrASFNC1um7bvj5l/nrJr
MtiTtiEmsMPrQeUCtAeHheVymaYZSbOxD0wwz3R9pd/doYYx7kv8LcQXhcY1vrDw
zm5bLhYxq87yYmgQ78g9eYlY0/53nWOXXtXx6koaLyBcsVY4RKydPKKywCXa62o4
xCNgmwC9JPlPdE24x/yVdMnINIG3OBOZ/kWnA6O5vqeMqhiTd3i4sZC4p4MWINfG
c6dJvxqcvtIWo8SAMLMHxrs39kCsYejsB/XunVqUn/WxSk85Rf8J6o3zkbuD1kAa
88V74hLDhJvxXckb/jTiPVuzoocH0TroItfAXE55gyW+t0jplTtjYSEEk2ywjwUk
Rg1lgvNZLUINSaw/a0TlHIfIdpoeog3HXeO8tH7NmT6WHHLUPmUcWlBzb79dJOdE
bFVTynhU6TZW4OFKVbi0gcXrxalFnbbVP+W+kRNrlNWOH6/ftR45r07A2adFPdjs
dqFzYS/cUfn/d8sXJw7c9qzBYm4Qcr+hmvV48iK0mEd7nglUzmxIg6JyWSxzcjqJ
jCM36CUMtUIoehlAF6/VEUkfvrNBQD+sZOnzDVqItyboUFp9PpUd5gk/C7r1nmI4
nZT04a/q6XY+U1sB6id24iE9eL5UdhO1n7jiHYZ9LEsJFsLvT5AwUkGsv4QBtK2W
I9h3XkG8lCpHNA0WDsnnGmm1rFMOPFIysZEZ4vMvJiKMshDVF18vGgUqwq4khcM6
gY1kZdQWdnIvMYgDyamNlQcaMasRm4/EV1xgVHp0GgjWziIqJw3K4vOzIe+KXXNP
vJ6kYc99eZReOp7oyKfybS8andohGa5fM5ytJ3hfTNqg2/ZtHVjVfW0Y2nd0BSVF
W7A8Twfn7QopkJsEziwds4d2K9eu3sRggeesZq8knYldCKFkOc1BLfhVK+ixFYuR
ztZORBUDkyf+gCNsbcwLmGPclDabkkJE1UMUmSpt8ACTxQgZJIdsIrITXVlcO7+d
-----END RSA PRIVATE KEY-----
[aaa@qq.com conf.d]
openssl rsa -in server.key-out server.key.unsecure 给私钥去除密码
或者不要在制作server.key时加入密码,或者直接用这个生成
openssl req -new -x509 -nodes -out server.crt -keyout server.key
生成请求文件 :
[aaa@qq.com conf.d]# openssl req -config ssl.cnf -new -nodes -key /etc/httpd/conf.d/server.key -out certs/server.csr
Enter pass phrase for /etc/httpd/conf.d/server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [cn]:
State or Province Name (full name) [beijing]:
Locality Name (eg, city) [beijing]:
Organization Name (eg, company) [superred]:
Organizational Unit Name (eg, section) [linux]:
Common Name (eg, your name or your server's hostname) []:www.kojiweb.com
Email Address [aaa@qq.com]:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
注意后期添加的国家,省,城市等信息要和服务器端的CA保持一致
3、将证书请求文件发给CA服务器:
[aaa@qq.com conf.d]# scp certs/server.csr 10.10.3.161:~
4、此步骤在ca服务器上面操作的不是客户端了。CA认证中心进行CA签名
[aaa@qq.com ~]# openssl ca -config ssl.cnf -keyfile /etc/pki/CA/private/cakey.pem -cert /etc/pki/CA/cacert.pem -in /root/server.csr -out /root/server.crt
或者
[aaa@qq.com ~]# openssl ca -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt -out certs/server.crt -outdir certs -infiles certs/server.csr
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem: 输入密码 ca私钥密码
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 2 (0x2)
Validity
Not Before: Jun 2 03:06:47 2020 GMT
Not After : Jun 2 03:06:47 2021 GMT
Subject:
countryName = cn
stateOrProvinceName = beijing
organizationName = superred
organizationalUnitName = linux
commonName = www.kojiweb.com
emailAddress = aaa@qq.com
X509v3 extensions:
X509v3 Basic Constraints:
CA:TRUE
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Key Identifier:
12:B8:C9:28:90:68:A2:FB:33:59:49:58:F6:30:2E:96:A4:56:10:40
X509v3 Authority Key Identifier:
keyid:64:C2:24:33:C7:CB:9E:36:CF:A2:75:2A:77:AB:6E:09:4D:C5:91:06
Certificate is to be certified until Jun 2 03:06:47 2021 GMT (365 days)
Sign the certificate? [y/n]:y 注册证书 证书有效期
1 out of 1 certificate requests certified, commit? [y/n]y 确认
Write out database with 1 new entries
Data Base Updated
这里的认证中心进行的签名是用自己的私钥进行签名/etc/pki/CA/private/cakey.pem
5、在服务器端CA认证中心进行颁发证书
在颁发之前,CA认证中心会使用自己的公钥进行加密
scp server.crt 10.10.3.193:~
在客户端执行:cat server.crt private/server.key > server.pem
server.pem文件和ca服务器上面自动生成的crets/01.pem 前半部分一样,只是ca服务端01.pem没有私钥信息
以上简洁一些执行就是
ca服务器上面执行centos7.7-01
cd /etc/pki/koji/
mkdir {certs,private,confs}
touch index.txt
echo 01 > serial
openssl genrsa -out private/koji_ca_cert.key 2048
openssl req -config ssl.cnf -new -x509 -days 3650 -key private/koji_ca_cert.key \
-out koji_ca_cert.crt -extensions v3_ca
要使用ca的客户端上面执行
caname=koji
user=server
openssl genrsa -out private/server.key 2048
openssl req -config ssl.cnf -new -nodes -out certs/${user}.csr -key private/${user}.key
openssl ca -config ssl.cnf -keyfile private/${caname}_ca_cert.key -cert ${caname}_ca_cert.crt \
-out certs/${user}.crt -outdir certs -infiles certs/${user}.csr
cat certs/${user}.crt private/${user}.key > ${user}.pem
mv ssl2.cnf confs/${user}-ssl.cnf
直接赋值
客户端执行生成私钥:openssl genrsa -out private/server.key 2048
客户端执行生成请求文件:openssl req -config ssl.cnf -new -nodes -out certs/server.csr -key private/server.key
把生成的 certs/server.csr请求文件传到ca服务器上面去,在服务器上面执行生成客户端ca证书如下:
openssl ca -config ssl.cnf -keyfile private/koji_ca_cert.key -cert koji_ca_cert.crt \
-out certs/server.crt -outdir certs -infiles certs/server.csr
把server.crt证书传给客户端去,可以利用certs/server.crt和private/server.key 形成server.pem格式的文件
cat certs/server.crt private/server.key > server.pem
Generate a PKCS12 user certificate (for web browser) 浏览器p12格式的
openssl pkcs12 -export -inkey private/server.key -in certs/server.crt \ -CAfile koji_ca_cert.crt -out certs/server_browser_cert.p12
需要把服务端的koji_ca_cert.crt和给客户端生成的server.crt一起导入到浏览器中去,才可以。一个是ca根证书,一个是应用证书
三:使用证书实现https
SSL:(Secure Socket Layer)安全套接字层,通过一种机制在互联网上提供**传输 其主要目标是保证两个应用间通信数据的保密性和可靠性,可在服务器端和用户端同时支持的一种加密算法 目前主流版本SSLV2、SSLV3(常用)。
SSL四次握手安全传输:
加密协议: SSL 3.0 或 TLS 1.0C ---------S 1. 请求一个安全的会话,协商算法
C <------------------------------------S 2. 将自己Server端的证书给客户端,证书中包括了64自己的公钥
C -----------------------------------> S 3. 客户端用浏览器中存放CA的根证书检测client证书,如果对,使用CA根证书中的公钥解密 得到CA的公钥; 然后生成一把对称的加***,用client的公钥加密这个**发给CA , 后期使用对称**加密数据
C <----------------------------------> S 4.client使用私钥解密,得到对称的加***然后,使用对称加***来进行安全快速传输数据=
1、配置HTTPSweb服务器
yum -y install mod_ssl # 安装SSL模块
cp ~/server.crt /etc/httpd/conf.d/ # 复制证书
vim /etc/httpd/conf.d/ssl.conf
# SSLCertificateFile /etc/pki/tls/certs/localhost.crt 把路径改成/etc/httpd/conf.d/server.crt
# SSLCertificateKeyFile /etc/pki/tls/private/localhost.key 把路径改成/etc/httpd/conf.d/server.key
[aaa@qq.com conf.d]# systemctl restart httpd
Enter SSL pass phrase for 10.10.3.193:443 (RSA) : ********
测试 :
netstat -antup | grep 443
tcp6 0 0 :::443 :::* LISTEN 1634/httpd
访问https://10.10.3.193
到这就已经认证成功了 但是没有被信任
因为之前填写Common Name 是www.kojiweb.com的域名 注意 是客户端的CN,不是ca服务器的CN ca服务器的CN是www.kojihub.com,也就是说hosts写使用者而不是颁发者
修改物理机hosts文件
10.10.3.193 www.kojiweb.com
重新用域名访问应该就可以被信任了
https://www.kojiweb.com
参考:
https://blog.csdn.net/weixin_33721427/article/details/88063129
https://blog.51cto.com/13848248/2177399
https://segmentfault.com/a/1190000014963014
https://docs.pagure.org/koji/server_howto/#etc-httpd-conf-d-kojihub-conf
https://www.cnblogs.com/yjmyzz/p/openssl-tutorial.html
===============================================
Centos6.x/Centos7.x都可用,tomcat此时已经启动,两个项目端口为8080,8082
yum install openssl nginx -y
#生成一个RSA私钥
openssl genrsa -des3 -out server.key 2048 要求输入密码
或者
openssl genrsa -out private/server.key 2048 无密码
#des3 是算法
#2048 位数/强度
#server.key **文件名
#-out:生成文件的路径和名称
openssl req -new -key server.key -out server.csr
#-key:指定ca私钥
#-out: server.csr 生成证书文件
#要求填入以下信息:
Country Name (2 letter code) []:cn // 国家
State or Province Name (full name) []:beijng // 省份
Locality Name (eg, city) []:beijing // 城市
Organization Name (eg, company) []:superred // 组织机构
Organizational Unit Name (eg, section) []:linux // 机构部门
Common Name (eg, fully qualified host name) []:www.kojihub.com // 域名
Email Address []:aaa@qq.com // 邮箱地址
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: // 证书密码,不设密码回车
#生成两个文件server.key server.csr
#生成CA证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
#x509: 指定格式
#-in: 指定请求文件
#-signkey: 自签名
#生成了一个文件为server.crt
[aaa@qq.com nginx]# openssl x509 -req -days 365 -in server.csr -signkey private/server.key -out server.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=superred/OU=linux/CN=www.kojihub.com/aaa@qq.com
Getting Private key
cp server.key server.csr server.crt /etc/nginx
vim /etc/nginx/conf.d/default.conf
upstream xxxx_upstream {
server 127.0.0.1:8082;
}
upstream yyyy_upstream {
server 127.0.0.1:8080;
}
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name 你的域名;
root /usr/share/nginx/html;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
location /xxxx {
proxy_set_header Host $http_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://xxxx_upstream/xxxx;
}
location /yyyy {
proxy_set_header Host $http_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://yyyy_upstream/yyyy;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
server{
listen 443;
server_name www.kojihub.com; 域名和server.csr 域名相同
ssl on;
root /usr/share/nginx/html;
ssl_certificate server.crt;
ssl_certificate_key server.key;
location /xxxx {
proxy_set_header Host $http_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://xxxx_upstream/xxxx;
}
location /yyyy {
proxy_set_header Host $http_host;
proxy_set_header X-Real-Ip $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://yyyy_upstream/yyyy;
}
}
注:以上配置文件中的xxxx,yyyy请自行替换自己对应的路径,复制粘贴的时候格式需要自己对齐
nginx -t
systemctl start nginx
把server.crt传到windows10 上面 双击安装
或者crtl +R
certmgr.msc
受信任的根证书颁发机构->证书->操作->所有任务->导入->下一步->浏览寻找crt根证书文件->选择第二个将所有证书都放在下列存储(选择受信任的根证书颁发机构)->下一步完成
#可以使用https://www.kojihub.com
1)windows10 浏览器没问题,
2)chrome.83.0.4103.61 浏览器不可,还是不信任
3)firefox.76.0.1 (64 位) 也不可以