安装环境
nginx下载地址:http://nginx.org/en/download.html
openssl下载地址:http://slproweb.com/products/Win32OpenSSL.html
官网地址:https://www.openssl.org/source/
1、根据系统选择下载安装文件
2、配置系统路径
我的电脑-》属性-》高级系统设置-》环境变量-》用户变量(如果想要所有用户通用的话可以在系统变量里面配置 )
变量名: OPENSSL_HOME 变量值:C:\OpenSSL-Win64\bin; (变量值为openssl安装位置,我的 )
在path变量结尾添加如下 : %OPENSSL_HOME%;
3、生成证书
3.1 在nginx安装路径下创建ssl文件夹用于存放证书
D:\>cd nginx-1.8.0
D:\nginx-1.8.0>ls
conf contrib docs html logs nginx.exe temp
D:\nginx-1.8.0>mkdir ssl
D:\nginx-1.8.0>ls
conf docs logs ssl
contrib html nginx.exe temp
D:\nginx-1.8.0>
3.2 创建私钥
在命令行中执行命令: openssl genrsa -des3 -out dogiant.key 1024 (dogiant是文件名可以自定义),如下所示:
D:\nginx-1.8.0>cd ssl
D:\nginx-1.8.0\ssl>openssl genrsa -des3 -out dogiant.key 1024
Generating RSA private key, 1024 bit long modulus
...........................................++++++
............++++++
e is 65537 (0x010001)
Enter pass phrase for dogiant.key:
Verifying - Enter pass phrase for dogiant.key:
D:\nginx-1.8.0\ssl>
输入密码后,再次重复输入确认密码。记住此密码,后面会用到。
创建csr证书:
在命令行中执行命令: openssl req -new -key dogiant.key -out dogiant.csr
(key文件为刚才生成的文件,lifes为自定义文件名)
D:\nginx-1.8.0\ssl>openssl req -new -key dogiant.key -out dogiant.csr
Enter pass phrase for dogiant.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Beijing
Locality Name (eg, city) []:Beijing
Organization Name (eg, company) [Internet Widgits Pty Ltd]:dogiant
Organizational Unit Name (eg, section) []:dogiant
Common Name (e.g. server FQDN or YOUR name) []:www.dogiant.com
Email Address []:18636380@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
D:\nginx-1.8.0\ssl>ls
dogiant.csr dogiant.key
输入的信息中最重要的为 Common Name,这里输入的域名即为我们要使用https访问的域名。
以上步骤完成后,ssl文件夹内出现两个文件:dogiant.csr dogiant.key
根据以下操作,复制文件,去除密码,生成crt证书
D:\nginx-1.8.0\ssl>copy dogiant.key dogiant.key.copy
已复制 1 个文件。
D:\nginx-1.8.0\ssl>openssl rsa -in dogiant.key.copy -out dogiant.key
Enter pass phrase for dogiant.key.copy:
writing RSA key
D:\nginx-1.8.0\ssl>openssl x509 -req -days 365 -in dogiant.csr -signkey dogiant.key -out dogiant.crt
Signature ok
subject=C = CN, ST = Beijing, L = Beijing, O = dogiant, OU = dogiant, CN = www.dogiant.com, emailAddress = 18636380@qq.com
Getting Private key
D:\nginx-1.8.0\ssl>ls
dogiant.crt dogiant.csr dogiant.key dogiant.key.copy
以上的介绍稍显啰嗦,简单说就是下面四句话
1、genrsa -des3 -out *.key 1024
2、req -new -key *.key -out *.csr
3、rsa -in *.key -out *_nopass.key
4、req -new -x509 -days 3650 -key *_nopass.key -out *.crt
*是你自己起的文件名,第一个文件会提示设个密码,后面会用到这个密码。
第二个文件需要提供一些参数,像国家、省市、公司、域名等。
总共会生成四个文件。
3.3修改nginx.conf 配置文件
# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;
# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
# location / {
# root html;
# index index.html index.htm;
# }
#}
修改为:
# HTTPS server
#
server {
listen 443 ssl;
server_name www.dogiant.com;
ssl_certificate D:/nginx-1.8.0/ssl/dogiant.crt;
ssl_certificate_key D:/nginx-1.8.0/ssl/dogiant.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
安装中出现的问题记录
我的系统是win7 x64,nginx版本1.8.0,安装中出现一个问题
这提示指向是因为 ssl_session_cache 共享地址不一样导致,查官网也是暂不清楚具体成因。
把配置文件修改下,注释掉ssl_session_cache几行,解决后,启动成功
修改为:
# HTTPS server
#
server {
listen 443 ssl;
server_name www.dogiant.com;
ssl_certificate D:/nginx-1.8.0/ssl/dogiant.crt;
ssl_certificate_key D:/nginx-1.8.0/ssl/dogiant.key;
#ssl_session_cache shared:SSL:1m;
#ssl_session_timeout 5m;
#ssl_ciphers HIGH:!aNULL:!MD5;
#ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
}
https域名访问
修改配置hosts
127.0.0.1 www.dogiant.com
访问 https://www.dogiant.com
2018-01-24_10h55_15.png
结语:
本文演示了https的证书生成,以及在nginx上的配置,记录了遇到的问题及解决方案。
聊以记录此文,或许有点用。
