LoginSignup
2

More than 3 years have passed since last update.

オレオレ証明書を作ってNginxで使う

Last updated at Posted at 2019-11-23

オレオレ証明書を作ってNginxで使う

証明書作成

ディレクトリ作成

[root@ip-xx.xx.xx.xx nginx]# pwd
/etc/nginx
[root@ip-xx.xx.xx.xx nginx]# mkdir -p server_certificates

keyとcsrを作成

  • key生成
openssl genrsa 2048 > server.key
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus
........+++
.....................+++
e is 65537 (0x10001)
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.key # Created!
  • csr生成
    • 質問は適宜 (今回は適当に入力)
openssl req -new -key server.key > server.csr
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.csr # Created!
server.key

オレオレ署名

  • 署名して、crtを作成
openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd
Getting Private key
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.crt
server.csr # Created!
server.key

Nginx設定

[root@ip-xx.xx.xx.xx nginx]# pwd
/etc/nginx
[root@ip-xx.xx.xx.xx nginx]# vim nginx.conf

config file

   # Settings for a TLS enabled server.

   server {
       listen       443 ssl http2 default_server;
       listen       [::]:443 ssl http2 default_server;

       # Please change it
       server_name  xx.xx.xx.xx;
       root         /usr/share/nginx/html;

       ssl_certificate "/etc/nginx/server_certificates/server.crt";
       ssl_certificate_key "/etc/nginx/server_certificates/server.key";
       # It is *strongly* recommended to generate unique DH parameters
       # Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
       #ssl_dhparam "/etc/pki/nginx/dhparams.pem";
       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;
       ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
       ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
       ssl_prefer_server_ciphers on;

       # Load configuration files for the default server block.
       include /etc/nginx/default.d/*.conf;

       location / {
       }

       error_page 404 /404.html;
           location = /40x.html {
       }

       error_page 500 502 503 504 /50x.html;
           location = /50x.html {
       }
   }
  • restart
[root@ip-xx.xx.xx.xx nginx]# service nginx restart
Stopping nginx:                                            [  OK  ]
Starting nginx:                                            [  OK  ]

参考

Register as a new user and use Qiita more conveniently

  1. You get articles that match your needs
  2. You can efficiently read back useful information
What you can do with signing up
2