快捷導(dǎo)航

nginx生成自簽名SSL證書配置HTTPS的實現(xiàn)

更新時間：2025年03月02日 10:20:35 作者：小白--AI

本文主要介紹在Nginx中生成自簽名SSL證書并配置HTTPS,包括安裝Nginx、創(chuàng)建證書、配置證書以及測試訪問,具有一定的參考價值,感興趣的可以了解一下

一、安裝nginx

nginx必須有"--with-http_ssl_module"模塊
查看nginx安裝的模塊：
root@ecs-7398:/usr/local/nginx# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# ./sbin/nginx -V
nginx version: nginx/1.20.2
built by gcc 9.4.0 (Ubuntu 9.4.0-1ubuntu1~20.04.2)
built with OpenSSL 1.1.1f  31 Mar 2020
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-pcre --with-http_ssl_module --with-http_gzip_static_module --with-http_v2_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_flv_module

二、創(chuàng)建證書

1、生成私鑰

root@ecs-7398:~# cd /usr/local/nginx/
root@ecs-7398:/usr/local/nginx# mkdir key
root@ecs-7398:/usr/local/nginx# cd key/
root@ecs-7398:/usr/local/nginx/key# openssl genrsa -des3 -out server.key 2048          #使用ssl生成私鑰名為 server.key
Generating RSA private key, 2048 bit long modulus (2 primes)
................+++++
......+++++
e is 65537 (0x010001)
Enter pass phrase for server.key:                    #自定義密碼：123456
Verifying - Enter pass phrase for server.key:          #確認密碼：123456
root@ecs-7398:/usr/local/nginx# ls
client_body_temp  conf  fastcgi_temp  html  logs  proxy_temp  sbin  scgi_temp  server.key  uwsgi_temp
root@ecs-7398:/usr/local/nginx/key# cat server.key       #查看私鑰內(nèi)容
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,4103533ED9B6ECD1

MAhsh46L3TsiCymB5pTA93lw/WZKzX/9iuzgM/OgG7U0cKHWdiLf907/52Ocp80e
bY/FKTADBcrEv2uFuke28WjdN2aQddiJGsP0CDLVKfv/kqEgvYuy2sIcoXcHV8fL
70vfaFuTa5CwxyIbRvfHFSpj39oC76eitx120x+KCkgWDkIaVGG9cP0TfmDnDOSe
fmpmZhqkkkP5dXuuPNItfumHHhZpjXqMr9oGxtENdMyNBrRywC8+NhRhO7iomZeP
tHiQpjQCrD8xkKcYqfKVCOS8KCXeKF1EylbJ89e2ZqgaujuKyC90raHpwga9MUSO
HNOT/U85zwsmqkh4/2Ox7AVLlNiG0+Rxt+IfWJb6xgT21SEfL/2vskNAkj2PN3J+
mpeSvpaKI1BsZ8LrpsqFNR0fDhIg+a5hzfSTlWouZcpePx7vB5qvKAvoSKrGmbDO
GQp4H24cSPAaQI6Wih+AxB8stfTCsBatJ5RwXgYNskumHL8KzpC9/Yj7QrLx3m3I
TBDlpOVU6tUYzMDVYDMGtTUhoPIdfVjaRz8BGWUFp0MM3Sx+rppPul1voSuVve5T
8uba4fqv+KIEQdR/PELB4N+ZgZiFP5HtoZN7mFWN6H/Ygm3GEgNeljiqypYQpZOd
dUIC/vhRsCuylww7Rh8LUtgnVAkJbyuqjA38wypATLKQFI1rwFzI9gCWwyz0SCNQ
tffBpZebLkG+H7GGfrTo+50TLDVetyQctbj2ibytpVKK4xE7oaMSZYqbfqg6OYCp
k2LhlWkKsDf7XhLbo5kP2UUfB7LSzx3JdRmA0Fw3GqEevFJysyJO2w==
-----END RSA PRIVATE KEY-----
root@ecs-7398:/usr/local/nginx/key#

2、生成公鑰

root@ecs-7398:/usr/local/nginx/key# openssl req -new -key server.key -out server.csr     #基于創(chuàng)建的server.key私鑰創(chuàng)建server.csr公鑰
Enter pass phrase for server.key:             #輸入server.key的密碼：123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN       #國家
State or Province Name (full name) [Some-State]:shanghai   #省市
Locality Name (eg, city) []:jiading     #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:bai    #組織
Organizational Unit Name (eg, section) []:zr   #單位
Common Name (e.g. server FQDN or YOUR name) []:byc     #姓名
Email Address []:2123288207@qq.com   #郵箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456     #密碼
An optional company name []:zr     #公司
root@ecs-7398:/usr/local/nginx/key#

3、簽名生成證書

root@ecs-7398:/usr/local/nginx/key# openssl rsa -in server.key -out server.key        #去除server.key認證，避免每次"nginx -t"時出現(xiàn)輸入密碼的情況
Enter pass phrase for server.key:          #密碼：123456
writing RSA key
root@ecs-7398:/usr/local/nginx/key# 

root@ecs-7398:/usr/local/nginx/key# openssl x509 -req -days 3650 -in server.csr -signkey server.key -out server.crt
#使用私鑰和公鑰生成server.crt簽名證書，-days為3650天 -in指定公鑰，-signkey指定私鑰，生成的前面證書為server.crt
Signature ok
subject=C = CN, ST = shanghai, L = jiading, O = bai, OU = zr, CN = byc, emailAddress = 2123288207@qq.com
Getting Private key
root@ecs-7398:/usr/local/nginx/key#

三、配置證書并驗證

root@ecs-7398:/usr/local/nginx/key# cd ..
root@ecs-7398:/usr/local/nginx# systemctl start nginx    #啟動Nginx
root@ecs-7398:/usr/local/nginx# vim conf/nginx.conf     
#編輯nginx主配置文件將后面server的注釋去掉

server {
    listen       443 ssl;
    server_name  localhost;

    ssl_certificate      /usr/local/nginx/key/server.crt;     ##證書路徑
    ssl_certificate_key  /usr/local/nginx/key/server.key;  ##證書路徑

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;

    location / {
        root   /usr/local/nginx/html/xiaomi;
        index  index.html index.htm;
    }
}

四、測試

root@ecs-7398:/usr/local/nginx# cd
root@ecs-7398:~# ls
nginx-1.20.2  nginx-1.20.2.tar.gz  小米官網(wǎng).zip
root@ecs-7398:~# unzip 小米官網(wǎng).zip -d /usr/local/nginx/html/xiaomi
root@ecs-7398:~# ls /usr/local/nginx/html/xiaomi/
css  iconfont  images  index.html

在瀏覽器訪問https//xxx.xxx.xxx.xxx:443

在這里插入圖片描述