オレオレ証明書を作ってNginxで使う
証明書作成
ディレクトリ作成
[root@ip-xx.xx.xx.xx nginx]# pwd
/etc/nginx
[root@ip-xx.xx.xx.xx nginx]# mkdir -p server_certificates
keyとcsrを作成
- key生成
openssl genrsa 2048 > server.key
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl genrsa 2048 > server.key
Generating RSA private key, 2048 bit long modulus
........+++
.....................+++
e is 65537 (0x10001)
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.key # Created!
- csr生成
- 質問は適宜 (今回は適当に入力)
openssl req -new -key server.key > server.csr
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl req -new -key server.key > server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.csr # Created!
server.key
オレオレ署名
- 署名して、crtを作成
openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
[root@ip-xx.xx.xx.xx server_certificates]# pwd
/etc/nginx/server_certificates
[root@ip-xx.xx.xx.xx server_certificates]# openssl x509 -days 3650 -req -signkey server.key < server.csr > server.crt
Signature ok
subject=/C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd
Getting Private key
[root@ip-xx.xx.xx.xx server_certificates]# ls -1
server.crt
server.csr # Created!
server.key
Nginx設定
[root@ip-xx.xx.xx.xx nginx]# pwd
/etc/nginx
[root@ip-xx.xx.xx.xx nginx]# vim nginx.conf
config file
# Settings for a TLS enabled server.
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
# Please change it
server_name xx.xx.xx.xx;
root /usr/share/nginx/html;
ssl_certificate "/etc/nginx/server_certificates/server.crt";
ssl_certificate_key "/etc/nginx/server_certificates/server.key";
# It is *strongly* recommended to generate unique DH parameters
# Generate them with: openssl dhparam -out /etc/pki/nginx/dhparams.pem 2048
#ssl_dhparam "/etc/pki/nginx/dhparams.pem";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:SEED:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!RSAPSK:!aDH:!aECDH:!EDH-DSS-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!SRP;
ssl_prefer_server_ciphers on;
# Load configuration files for the default server block.
include /etc/nginx/default.d/*.conf;
location / {
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
}
- restart
[root@ip-xx.xx.xx.xx nginx]# service nginx restart
Stopping nginx: [ OK ]
Starting nginx: [ OK ]