本地centos虚拟机添加自签发的SSL证书,支持谷歌和IE浏览器!
首先安装openssl:
[root@bogon andy]# yum install mod_ssl openssl
安装后配置文件路径一般为:/etc/pki/tls/openssl.cnf
创建好证书目录后,开始生成证书。第一步:
[root@bogon ssl]# openssl genrsa -out server.key 2048 Generating RSA private key, 2048 bit long modulus ....................................................+++ .......+++ e is 65537 (0x10001)
第二步,继续操作,执行该命令后马上提示输入若干信息
[root@bogon ssl]# openssl req -new -key server.key -out server.csr You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [XX]:cn State or Province Name (full name) []:beijing Locality Name (eg, city) [Default City]:bj Organization Name (eg, company) [Default Company Ltd]:by Organizational Unit Name (eg, section) []:icbc Common Name (eg, your name or your server's hostname) []:www.zheng888.cn Email Address []:zhuanba@81my.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:Ops
假设虚拟机上站点绑定的域名是www.zheng888.cn,那么Common Name (eg, your name or your server's hostname) []:项目要录入www.zheng888.cn,另外A challenge password []:是密码,可以回车略过
因为Chrome浏览器要求证书中必须包含“Subject Alternative Names”这一参数,所以第三步输入:
[root@bogon ssl]# echo "subjectAltName=DNS:www.zheng888.cn" > cert_extensions
最后第四步生成证书:
[root@bogon ssl]# openssl x509 -req -sha256 -in server.csr -signkey server.key -extfile cert_extensions -out server.crt -days 3650 Signature ok subject=/C=cn/ST=beijing/L=bj/O=by/OU=icbc/CN=www.zheng888.cn/emailAddress=zhuanba@81my.com Getting Private key
下面命令用于生成.pfx证书:
[root@bogon ssl]# openssl pkcs12 -inkey server.key -in server.crt -export -out server.pfx -name server
生成好证书后配置nginx支持https
#https配置开始 listen 443 ssl; server_name localhost; ssl_certificate ssl/server.crt; ssl_certificate_key ssl/server.key; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; #https配置结束
注意重启nginx服务器
配置浏览器安装证书,只有安装证书后才不会有证书错误、不安全标记的提示,下面是IE安装证书的方法:
用 IE 通过 HTTPS 打开网站,会收到如下证书错误警告:
单击这个错误提示靠下位置的“查看证书(View certificates)”就可以看到该证书的详情,并可以直接安装该证书到 Windows 系统的证书管理器中:
IE 查看证书详情,单击“安装证书”按钮即可开始安装证书:
然后系统会询问该证书的存储位置。根据我们的需要 —— 以后打开自己的网站时候不会再发出安全警告,直接添加到“受信任的根证书颁发机构”存储中,如下图所示:
选择后单击“确定”按钮,然后“下一步”。此时会收到安全警告,如下图:
点击“是”确认添加根证书。然后关闭浏览器重新打开,就可以看到效果了。
因为 Chrome 使用的就是 Windows 系统里的证书,没有独立的证书存储单元,所以搞定 IE 也就搞定 Chrome 了。