第一步 申請本地證書
1. openssl 之類的軟件我就不多說,系統自帶的,如果不帶,自己 yum 下
- [root@e2fsck ~]# openssl genrsa -des3 -out e2fsck.org.key 2048
- Generating RSA private key, 1024 bit long modulus
- ………..++++++
- ………..++++++
- e is 65537 (0×10001)
- Enter pass phrase for e2fsck.org.key: 輸入密碼
- Verifying – Enter pass phrase for e2fsck.org.key: 輸入密碼
- [root@e2fsck ~]# openssl req -new -key e2fsck.org.key -out e2fsck.org.csr
- Enter pass phrase for e2fsck.org.key: 輸入密碼
- You are about to be asked to enter information that will be incorporated
- into your certificate request.
- What you are about to enter is what is called a Distinguished Name or a DN.
- There are quite a few fields but you can leave some blank
- For some fields there will be a default value,
- If you enter ‘.', the field will be left blank.
- —–
- Country Name (2 letter code) [XX]:CN
- State or Province Name (full name) []:JS
- Locality Name (eg, city) [Default City]:SZ
- Organization Name (eg, company) [Default Company Ltd]:e2fsck
- Organizational Unit Name (eg, section) []:e2fsck.org
- Common Name (eg, your name or your server's hostname) []:*.e2fsck.org
- Email Address []:[email protected]
- Please enter the following ‘extra' attributes
- to be sent with your certificate request
- A challenge password []: 直接回車
- An optional company name []: 直接回車
- [root@e2fsck ~]# openssl rsa -in e2fsck.org.key -out e2fsck.org_nopass.key
- Enter pass phrase for e2fsck.org.key: 輸入上面的密碼
- writing RSA key
- [root@e2fsck ~]# ls
- e2fsck.org.csr e2fsck.org.key e2fsck.org_nopass.key
第二步 去 startssl 申請免費證書
1. 登錄官方網站 http://www.startssl.com/?app=0
2. 選擇 Control Panel(右上角) 然后選擇 Express Lane(最下面的大圖標)
3. 填寫注冊信息(盡量真實,不然難通過),然后就去郵件等,是 2 封郵件,第二封郵件帶一個地址,登錄即可
4. 進去后,做 下一步 之類的簡單事情后,選擇 Certificates Wizard
5. Certificate Target: 這里選擇 Web Server SSL/TLS Certificate
6. 這里選擇 Skip 因為 第一步 的時候配置好了
7. 這里把 第一步 中的 e2fsck.org.csr 內容粘貼到這里
8. 然后就是下一步,添加域名什么的簡單的事情
9. 最后看到一段代碼就是 crt 證書了,保存下來,我這里取名為 e2fsck.org.crt 然后把它放到 /usr/local/nginx/conf 目錄(你放哪隨便)
10. 為了使部分瀏覽器能夠識別證書,還得把 CA 根證書與我們的證書和并
- [root@e2fsck ~]# cd /usr/local/nginx/conf/ #我這里把證書都放在了這個目錄
- [root@e2fsck conf]# wget http://cert.startssl.com/certs/ca.pem
- [root@e2fsck conf]# wget http://cert.startssl.com/certs/sub.class1.server.ca.pem
- [root@e2fsck conf]# cp e2fsck.org.crt e2fsck.org.bak #先備份下
- [root@e2fsck conf]# cat ca.pem sub.class1.server.ca.pem >> e2fsck.org.crt
然后編輯 e2fsck.org.crt 把里面的
- —–END CERTIFICATE———-BEGIN CERTIFICATE—–
分開,改成這樣
- —–END CERTIFICATE—–
- —–BEGIN CERTIFICATE—–
第三步 配置 nginx.conf
主要是修改這段
復制代碼代碼如下:
server { listen 443; server_name www.e2fsck.org; index index.html index.htm index.php; ssl on; <span id="note">#主要是這段</span> ssl_certificate e2fsck.org.crt; ssl_certificate_key e2fsck.org_nopass.key; ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location ~ .php$ { <span id="note">#這一小段是為了 https 能解析 php</span> root html; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; fastcgi_param HTTPS on; include fastcgi.conf; } if (-f $request_filename/index.html){ <span id="note">#如果非SSL做了偽靜態,這里也要</span> rewrite (.*) $1/index.html break; } if (-f $request_filename/index.php){ rewrite (.*) $1/index.php; } if (!-f $request_filename){ rewrite (.*) /index.php; } #location / { #root html; #index index.html index.htm index.php; #} }
然后重啟 nginx (如果以前沒配置過 ssl,就一定要重啟, reload 沒用)
第四步 測試 ssl
瀏覽器輸入 https://www.e2fsck.org 可以看到 ssl 已經可以正常工作了
