Of Stack

The SSL certificate configuration for the Nginx server and the reverse proxy configuration for SSL

  • 2020-05-10 23:26:04
  • OfStack

SSL certificate configuration for Nginx
1. Use openssl to implement the certificate center
Since you are using openssl to set up a private certificate center, make sure that the following fields are the same in the certificate center's certificate, server certificate, and client certificate 


Country Name
 State or Province Name
 Locality Name
 Organization Name
 Organizational Unit Name

Country Name
 State or Province Name
 Locality Name
 Organization Name
 Organizational Unit Name

 
Edit the certificate center profile 


vim /etc/pki/tls/openssl.cnf


[ CA_default ]
 dir    = /etc/pki/CA
 certs   = $dir/certs   # Where the issued certs are kept
 crl_dir   = $dir/crl    # Where the issued crl are kept
 database  = $dir/index.txt  # database index file.
 #unique_subject = no     # Set to 'no' to allow creation of
 # several ctificates with same subject.
 new_certs_dir = $dir/newcerts   # default place for new certs.
 certificate  = $dir/cacert.pem  # The CA certificate
 serial   = $dir/serial   # The current serial number
 crlnumber  = $dir/crlnumber  # the current crl number          # must be commented out to leave a V1 CRL
 crl    = $dir/crl.pem   # The current CRL
 private_key  = $dir/private/cakey.pem# The private key
 RANDFILE  = $dir/private/.rand # private random number file
[ req_distinguished_name ]
 countryName      = Country Name(2 letter code)
 countryName_default    = CN
 countryName_min     = 2
 countryName_max     = 2
 stateOrProvinceName    = State or Province Name (full name)
 stateOrProvinceName_default  = FJ
 localityName     = Locality Name (eg, city)
 localityName_default   = FZ
 0.organizationName    = Organization Name (eg, company)
 0.organizationName_default  = zdz
 organizationalUnitName   = Organizational Unit Name (eg, section)
 organizationalUnitName_default = zdz

Create the certificate private key 


cd /etc/pki/CA/private


 (umask 077;openssl genrsa -out cakey.pem 2048

)
Generated from the visa document 


cd /etc/pki/CA/

 openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days=3655
2. Create the server certificate 

mkdir /usr/local/nginx/ssl
 cd /usr/local/nginx/ssl


 (umask 077;openssl genrsa -out nginx.key 1024)


 openssl req -new -key nginx.key -out nginx.csr
 openssl ca -in nginx.csr -out nginx.crt -days=3650

3. Create the client browser certificate 


(umask 077;openssl genrsa -out client.key 1024)


vim /etc/pki/tls/openssl.cnf
0

  converts a certificate in text format to one that can be imported into a browser 


vim /etc/pki/tls/openssl.cnf
1

4. Configure nginx server validation 


vim /etc/pki/tls/openssl.cnf
2 

 ssl on;
 ssl_certificate   /usr/local/nginx/ssl/nginx.crt;
 ssl_certificate_key  /usr/local/nginx/ssl/nginx.key;
 ssl_client_certificate /usr/local/nginx/ssl/cacert.pem;
 ssl_session_timeout  5m;
 #ssl_verify_client  on;        The server authenticates the client, temporarily not open, so that the client without the certificate can access, and first completes the one-way authentication 
 ssl_protocols   SSLv2 SSLv3 TLSv1;

SSL reverse proxy
1. Modify the nginx.conf configuration 


vim /etc/pki/tls/openssl.cnf
4

2. Restart the service 


vim /etc/pki/tls/openssl.cnf
5

Related articles: