为NGINX配置自签名证书启用站点https

nginx 的https 功能基于模块ngx_http_ssl_module实现，因此如果是编译安装的nginx要使用参数ngx_http_ssl_module开启ssl功能，但是作为nginx的核心功能，yum安装的nginx默认就是开启的，编译安装的nginx需要指定编译参数--with-http_ssl_module开启

配置参数

• listen 443 ssl;
• ssl_certificate /path/to/file;

• #指向包含当前虚拟主机和CA的两个证书信息的文件，一般是crt文件

• ssl_certificate_key /path/to/file;

• #当前虚拟主机使用的私钥文件，一般是key文件

• ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2];

• #支持ssl协议版本，早期为ssl现在是TLS，默认为后三个

• ssl_session_cache off | none | [builtin[:size]] [shared:name:size];

• #配置ssl缓存

• off： #关闭缓存
• none: #通知客户端支持ssl session cache，但实际不支持
• builtin[:size]：#使用OpenSSL内建缓存，为每worker进程私有
• [shared:name:size]：#在各worker之间使用一个共享的缓存，需要定义一个缓存名称和缓存空间大小，一兆可以存储4000个会话信息，多个虚拟主机可以使用相同的缓存名称

• ssl_session_timeout time;

• #客户端连接可以复用ssl session cache中缓存的有效时长，

自签名证书

创建一个文件夹存放证书

[root@www logs]# cd /software/nginx/
[root@www nginx]# mkdir certs
[root@www nginx]# cd certs

创建自签名CA证书

[root@www certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout ca.key -x509 -days 3650 -out ca.crt

Generating a 4096 bit RSA private key
........++
..................................................................................................................................................................++
writing new private key to 'ca.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:UHN  
Organizational Unit Name (eg, section) []:UHN
Common Name (eg, your name or your server's hostname) []:zywqs
Email Address []:

[root@www certs]# ll
total 8
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key

为www.uhn.cn创建key和csr文件

[root@www certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.uhn.cn.key -out www.uhn.cn.csr
Generating a 4096 bit RSA private key
....................................................++
.........................................................++
writing new private key to 'www.uhn.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:UHN
Organizational Unit Name (eg, section) []:UHN
Common Name (eg, your name or your server's hostname) []:zywqs
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:


[root@www certs]# ll
total 16
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key

签发证书

[root@www certs]# openssl  x509 -req -days 3650 -in www.uhn.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.uhn.cn.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=UHN/OU=UHN/CN=zywqs
Getting CA Private Key
[root@www certs]# ll
total 24
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root   17 Oct 24 17:29 ca.srl
-rw-r--r--. 1 root root 1842 Oct 24 17:29 www.uhn.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key

查看证书内容

[root@www certs]# openssl x509 -in www.uhn.cn.crt -noout -text
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            9f:84:ad:55:fb:38:4a:8b
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=CN, ST=BJ, L=BJ, O=UHN, OU=UHN, CN=zywqs
        Validity
            Not Before: Oct 24 09:29:27 2024 GMT
            Not After : Oct 22 09:29:27 2034 GMT
        Subject: C=CN, ST=BJ, L=BJ, O=UHN, OU=UHN, CN=zywqs
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (4096 bit)
                Modulus:
                    00:cc:57:7b:00:b0:1d:8e:34:34:0d:6e:81:c5:cb:
                    10:bb:3a:c6:f5:a2:43:d8:fa:96:04:ae:19:31:c4:
                    40:00:15:06:12:93:62:ad:b7:68:68:84:15:72:5f:
                    bb:09:21:27:83:68:ee:81:e7:3a:f8:06:90:d1:61:
                    68:48:6d:7a:cd:c3:74:28:6b:00:a5:df:89:8f:c6:
                    84:df:bc:60:bf:4b:4d:9e:60:46:75:d3:1f:a3:e5:
                    6a:0d:28:c0:c8:85:3e:c7:88:ae:90:a2:26:03:b8:
                    99:64:1f:03:ed:ae:9b:ee:b6:3b:07:fc:ae:e5:18:
                    cc:df:01:e1:eb:8b:70:34:3d:f3:db:ad:8b:1d:98:
                    aa:d8:b6:c8:b1:4b:99:8e:e1:c0:0c:ff:d7:17:88:
                    f7:bf:0e:c9:c1:0b:d6:5b:a9:8b:41:02:b9:2f:24:
                    cf:d0:2e:dd:d5:05:df:61:71:f0:1f:e4:b4:58:2b:
                    75:9d:bd:0e:c9:0a:75:06:87:89:98:63:63:ea:fa:
                    1c:2e:a2:54:8c:c8:73:43:94:6f:50:d5:15:50:b1:
                    c1:26:a8:49:65:fa:b2:43:e7:69:76:e5:15:61:92:
                    54:1f:05:18:a4:8a:5c:cd:8f:ec:1f:17:83:cf:76:
                    81:b7:22:f8:5b:6e:1f:ac:c6:3f:6d:fc:6d:b6:19:
                    b7:4c:4b:4e:4f:34:ea:b3:14:e1:94:9d:6a:fd:50:
                    3f:77:69:51:58:64:75:a6:eb:ae:65:c8:ec:43:b8:
                    dc:e4:cf:83:dc:7b:6c:4d:c2:34:ec:44:fc:69:4a:
                    75:a3:20:11:92:cb:8d:5a:13:02:20:4b:6e:6b:2a:
                    d4:7c:aa:2e:93:d0:38:8f:34:55:be:2d:15:61:98:
                    6a:67:be:4d:91:45:c3:ed:8e:39:ce:85:5b:d6:c9:
                    33:d6:a7:46:17:86:88:d4:fb:4b:a0:21:98:5f:df:
                    fb:41:e4:29:8c:d8:df:fc:6e:28:3e:62:46:13:c2:
                    ed:f6:aa:98:4d:ba:e3:73:dd:6c:37:67:fb:f6:cb:
                    cd:82:5d:51:a0:d6:da:5e:e4:4b:40:a7:e0:9a:c0:
                    10:e3:91:49:ea:9a:a1:ed:dc:3d:65:d8:e3:0a:e9:
                    d6:dd:4b:41:c5:21:ad:53:a9:60:a9:be:99:0d:6f:
                    1d:b6:4b:b0:f7:17:60:c5:6b:cb:99:fe:5c:55:9d:
                    6b:34:b5:f5:3d:e7:af:f2:9f:d5:69:1a:5a:62:a9:
                    95:64:c5:7d:56:bf:0a:0f:a9:86:8e:78:fc:d8:b0:
                    47:1d:8c:3b:60:43:2c:9e:05:3c:6f:de:54:7a:dd:
                    81:7a:ea:f1:77:74:48:fa:61:3f:6e:d7:f3:e0:7e:
                    12:b8:f1
                Exponent: 65537 (0x10001)
    Signature Algorithm: sha256WithRSAEncryption
         2a:db:b3:49:5d:cb:61:ab:1b:e4:5b:12:eb:b0:62:0b:f7:e5:
         cb:6f:f7:58:da:d6:41:5f:04:ad:47:16:f2:de:c7:b0:07:1f:
         23:73:a1:82:f2:de:2c:ca:d7:a3:6e:8c:7e:d4:b7:49:2f:05:
         8e:8d:1a:3f:79:07:d8:ef:7a:14:a0:ea:c2:c4:39:f8:3a:bc:
         16:71:7c:3e:00:ef:38:d4:61:75:a5:53:a9:d9:49:ab:12:54:
         33:e9:7c:5c:ee:c1:ed:5a:84:1d:da:54:e4:59:04:b5:9d:62:
         e8:16:cf:0e:f3:7c:69:f4:bd:5e:13:18:f7:82:ee:34:9a:da:
         0c:cb:cc:5e:0f:0a:02:f4:94:47:ba:6c:02:17:03:51:10:db:
         89:4a:72:ea:af:e0:7b:48:a6:fa:40:79:f6:9e:63:c6:95:92:
         17:6a:50:57:ce:2c:e2:af:39:09:1e:a7:6b:a7:a5:91:12:77:
         a7:03:4a:a1:13:6c:4d:a9:53:f5:e0:b0:71:37:bf:01:32:48:
         97:d6:ce:98:fd:75:a9:51:88:5f:97:76:d6:76:6a:9b:aa:28:
         ff:31:68:08:86:15:0a:47:3b:be:c0:12:af:a2:ef:b4:cd:8f:
         89:db:cb:2e:4a:5d:aa:d8:a5:b5:4c:97:43:e0:6a:e7:22:29:
         ed:77:be:5b:c4:ae:1b:f6:09:fa:c9:a2:2e:a7:41:32:82:6d:
         dc:5e:d8:db:ce:38:7e:15:da:b4:20:19:90:88:72:cd:fb:1b:
         b0:3f:71:44:62:82:fd:a3:c1:84:ee:29:ad:d9:8e:99:07:d5:
         8c:69:1d:f7:2d:60:6a:11:e9:3d:08:e1:5f:f8:8c:3b:af:20:
         ce:c3:63:5a:73:03:5f:42:a8:6a:26:e2:23:a4:df:13:38:35:
         c6:32:ac:b8:d0:53:bd:a7:a4:d7:9c:e1:62:55:7b:0f:fd:ef:
         f6:6a:49:7b:ef:77:dd:f7:4d:0e:83:5c:57:f2:d9:12:14:a4:
         83:52:31:cc:2e:df:ba:6b:c5:0d:38:84:c2:05:fa:52:a5:08:
         ad:51:5c:65:da:e8:46:55:38:b2:35:fc:b8:32:2c:bf:49:fb:
         42:f2:ec:53:9d:4a:16:f4:29:75:ec:b3:c1:42:fa:db:05:d6:
         b7:de:bd:a8:54:90:ed:35:d1:68:a6:4e:b5:98:c2:e4:8a:8d:
         b9:7a:11:39:4e:23:79:d8:12:9c:af:bc:3a:88:f5:65:e1:37:
         6b:ce:34:82:8f:c8:0a:b2:cd:92:81:f2:c4:06:65:94:e6:69:
         78:22:34:20:94:97:69:9c:ae:20:16:b8:06:38:6d:b6:b5:72:
         77:ea:88:3e:7d:4d:c9:09

合并CA和服务器证书成一个文件（需要服务器证书在前）

[root@www certs]# cat www.uhn.cn.crt ca.crt > www.uhn.cn.pem
[root@www certs]# ll
total 28
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root   17 Oct 24 17:29 ca.srl
-rw-r--r--. 1 root root 1842 Oct 24 17:29 www.uhn.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key
-rw-r--r--. 1 root root 3802 Oct 24 17:30 www.uhn.cn.pem

修改nginx配置文件，为uhn.cn增加https的配置

[root@www certs]# cd /software/nginx/conf/conf.d/
[root@www conf.d]# vi uhn.conf 

server {
   listen 80;
   listen 443 ssl;
   server_name www.uhn.cn;

   ssl_certificate /software/nginx/certs/www.uhn.cn.pem;
   ssl_certificate_key /software/nginx/certs/www.uhn.cn.key;
   ssl_session_cache shared:sslcache:20m;
   ssl_session_timeout 10m;


   error_page 500 502 503 504  /error.html;
   location = /error.html {
   root /data/nginx/html/uhn;
   }
}

测试可以正常访问了

尝试为同一台服务器上的另一个虚拟主机站点abc.cn也创建https

Nginx 支持基于单个IP实现多域名的功能，并且还支持单IP多域名的基础之上实现HTTPS，其实是基于Nginx的 SNI（Server Name Indication）功能实现，SNI是为了解决一个Nginx服务器内使用一个IP绑定多个域名和证书的功能，其具体功能是客户端在连接到服务器建立SSL链接之前先发送要访问站点的域名（Hostname），这样服务器再根据这个域名返回给客户端一个合适的证书。

为www.abc.cn创件key和csr文件

[root@www certs]# openssl req -newkey rsa:4096 -nodes -sha256 -keyout www.abc.cn.key -out www.abc.cn.csr
Generating a 4096 bit RSA private key
..................................................................................................................................................................................++
...........................++
writing new private key to 'www.abc.cn.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:BJ
Locality Name (eg, city) [Default City]:BJ
Organization Name (eg, company) [Default Company Ltd]:ABC
Organizational Unit Name (eg, section) []:ABC      
Common Name (eg, your name or your server's hostname) []:zywqs
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@www certs]# ll
total 36
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root   17 Oct 24 17:29 ca.srl
-rw-r--r--. 1 root root 1671 Oct 24 17:50 www.abc.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:50 www.abc.cn.key
-rw-r--r--. 1 root root 1842 Oct 24 17:29 www.uhn.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key
-rw-r--r--. 1 root root 3802 Oct 24 17:30 www.uhn.cn.pem

签名证书

[root@www certs]# openssl  x509 -req -days 3650 -in www.abc.cn.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out www.abc.cn.crt
Signature ok
subject=/C=CN/ST=BJ/L=BJ/O=ABC/OU=ABC/CN=zywqs
Getting CA Private Key
[root@www certs]# ll
total 40
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root   17 Oct 24 17:52 ca.srl
-rw-r--r--. 1 root root 1842 Oct 24 17:52 www.abc.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:50 www.abc.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:50 www.abc.cn.key
-rw-r--r--. 1 root root 1842 Oct 24 17:29 www.uhn.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key
-rw-r--r--. 1 root root 3802 Oct 24 17:30 www.uhn.cn.pem
[root@www certs]# 

合并证书

[root@www certs]# cat www.abc.cn.crt ca.crt > www.abc.cn.pem
[root@www certs]# ll
total 44
-rw-r--r--. 1 root root 1960 Oct 24 17:26 ca.crt
-rw-r--r--. 1 root root 3272 Oct 24 17:26 ca.key
-rw-r--r--. 1 root root   17 Oct 24 17:52 ca.srl
-rw-r--r--. 1 root root 1842 Oct 24 17:52 www.abc.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:50 www.abc.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:50 www.abc.cn.key
-rw-r--r--. 1 root root 3802 Oct 24 17:54 www.abc.cn.pem
-rw-r--r--. 1 root root 1842 Oct 24 17:29 www.uhn.cn.crt
-rw-r--r--. 1 root root 1671 Oct 24 17:28 www.uhn.cn.csr
-rw-r--r--. 1 root root 3272 Oct 24 17:28 www.uhn.cn.key
-rw-r--r--. 1 root root 3802 Oct 24 17:30 www.uhn.cn.pem
[root@www certs]#

编辑abc.cn网站的nginx配置文件

[root@www conf.d]# vi abc.conf 
[root@www conf.d]# cat abc.conf
server {
   listen 80;
   listen 443 ssl;
   server_name www.abc.cn;
   
   ssl_certificate /software/nginx/certs/www.abc.cn.pem;
   ssl_certificate_key /software/nginx/certs/www.abc.cn.key;
   ssl_session_cache shared:sslcache:20m;
   ssl_session_timeout 10m;

   location / {
   root /data/nginx/html/abc;
   }
}
[root@www conf.d]# 

访问测试，实现了不同站点https