Shulou(Shulou.com)06/02 Report--

What kind of certificate do we need

I have written a brief book of "tomcat https configuration method (free certificate)" (if you want to see it, you can go to my home page, there is still a lot of related knowledge between these two articles), it has mentioned the classification of commonly used certificates, in which nginx uses a certificate in PEM format, we need two files, one is a .key file, and the other is a .crt file.

How to get a free certificate

Here are two methods:

First: if you are a windows user and have a certificate in .KeyStore format

Then you can use the JKS2PFX conversion tool to convert your keystore certificate to a PEM certificate by cd to the tool directory, and then run the command:

$JKS2PFX

Second: if you are a Linux or OSX system

Generate the secret key key and run:

$openssl genrsa-des3-out server.key 2048

You will be asked for a password twice, and you can enter the same one.

Enter password

Then you get a server.key file.

Later, using this file (through the command provided by openssl or API) may often ask for a password, and if you want to remove the steps to enter a password, you can use the following command:

$openssl rsa-in server.key-out server.key

Create the application file server.csr for the server certificate, and run:

Openssl req-new-key server.key-out server.csr

Which Country Name fill in CN,Common Name host name can not be filled in, if not filled in the browser will think it is not safe. (for example, your future url will be https://abcd/xxxx. . You can fill in abcd) here, and you can leave everything else unfilled.

Create a CA certificate:

Openssl req-new-x509-key server.key-out ca.crt-days 3650

At this point, you can get a ca.crt certificate, which is used to sign your own certificate.

Create a server certificate server.crt valid for ten years from the current date:

The copy code is as follows:

Openssl x509-req-days 3650-in server.csr-CA ca.crt-CAkey server.key-CAcreateserial-out server.crt

Ls your folder and you can see that a total of 5 files have been generated:

Ca.crt ca.srl server.crt server.csr server.key

Among them, server.crt and server.key are the certificate files that your nginx needs.

How to configure nginx

Open your nginx configuration file, search 443 to find the https configuration, and uncomment this code. Or directly copy my following configuration:

Server {listen 443; server_name localhost; ssl on; ssl_certificate / root/Lee/keys/server.crt;# configuration Certificate location ssl_certificate_key / root/Lee/keys/server.key;# configuration key location # ssl_client_certificate ca.crt;# two-way Authentication # ssl_verify_client on; # two-way Authentication ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1 Ssl_ciphers all, exp. RT56, RC4, RSAV, HIGH, Medi, LOW, ssl_prefer_server_ciphers on, SSLv2.

Change ssl_certificate to the path of server.crt and ssl_certificate_key to the path of server.key.

Nginx-s reload overload configuration

At this point, nginx https can be used, the default port 443.

The above is the whole content of this article, I hope it will be helpful to your study, and I also hope that you will support it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.