Nginx-based https service (ssl certificate making)

 

I. Role of Certificates

An SSL certificate is a digital certificate, similar to a driver's license or passport.Following the SSL protocol, issued by a trusted digital certification authority CA after authenticating the server;

Benefits of SSL certificates: Reference links https://baijiahao.baidu.com/s?id=1610739873505104305&wfr=spider&for=pc

SSL certificates will provide an unprecedented secure encryption and faster access experience
 1 Prevent middleman traffic hijacking
 2 Https Encryption Makes Website Safer
 3 Ensure user privacy and information security
 4 Help users identify phishing sites
 5 http will be marked as unsafe
 6 Increase Search Rank
 7 Improve company image and reliability

2. SSL Certificate Making

1. SSL certificate making depends on openssl, check OpenSSL first: generally centos7 is installed by default

[root@zq testzq]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

2. Generate private keys and self-signed SL certificates:

2.1,Generate private key,parameter genrsa: generate RSA Private key;-des3: des3 Algorithm;-out server.pass.key: Generated private key file name; 2048: Private key length

[root@zq testzq]# openssl genrsa -des3 -out server.pass.key 2048                
Generating RSA private key, 2048 bit long modulus
.............................................................+++
.......................+++
e is 65537 (0x10001)
Enter pass phrase for server.pass.key:
Verifying - Enter pass phrase for server.pass.key:                #Enter a password with more than 4 digits

[root@zqtestzq]# ll
-rw-r--r-- 1 root root 1751 1 month  20 11:01 server.pass.key   #Private key file with password

2.2,Remove password from private key

[root@zq testzq]# openssl rsa -in server.pass.key -out server.key
Enter pass phrase for server.pass.key:
writing RSA key

[root@zq testzq]# ll
-rw-r--r-- 1 root root 1679 1 month  20 11:01 server.key            #Password-free private key file
-rw-r--r-- 1 root root 1751 1 month  20 11:01 server.pass.key    #Private key file with password

2.3,generate CSR(Certificate Signature Request File)

[root@zq testzq]# openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Guangdong/L=Guangzhou/O=xdevops/OU=xdevops/CN=gitlab.xdevops.cn"

Parameter description:# req Generate Certificate Signature Request
                  # -new build)
                  # -key Private Key File)
                  # CSR file generated by-out
                  # -subj Generate parameters for CSR certificates

 

2.4,Generate self-signed SSL certificate

[root@zq testzq]# openssl x509 -req -days 1825 -in server.csr -signkey server.key -out server.crt  #-days: Certificate is limited (days)
Signature ok
subject=/C=CN/ST=Guangdong/L=Guangzhou/O=xdevops/OU=xdevops/CN=gitlab.xdevops.cn
Getting Private key

[root@zq testzq]# ll
-rw-r--r-- 1 root root 1241 1 month  20 11:00 server.crt             #Self-signed SL certificate
-rw-r--r-- 1 root root 1021 1 month  20 11:00 server.csr            #Signature file
-rw-r--r-- 1 root root 1679 1 month  20 11:01 server.key            #Password-free private key file
-rw-r--r-- 1 root root 1751 1 month  20 11:01 server.pass.key   #Private key file with password

Configuring ssl.conf on the server side

server {
    listen       8443;
    ssl          on;
    ssl_certificate /home/testzq/server.crt;      #Configure signed SL certificates.crt
    ssl_certificate_key /home/testzq/server.key;  #Configure the signed certificate private key.
    .............................................


server {
    listen       443;
    ssl          on;
    ssl_certificate /home/testzq/server.crt;
    ssl_certificate_key /home/testzq/server.key;

Restart nginx service:

[root@zq testzq]# service nginx restart
Redirecting to /bin/systemctl restart nginx.service

4. Verify that the certificate is successfully configured

Two methods:

1. Browser View Directly
 2. Use OpenSSL tools to view services

4.1. Browser View Directly

4.2. The server uses the OpenSSL tool and executes the following command, openssl x509 -in diserver.crt -noout -dates, to see the valid start and end time of the certificate

[root@zq]# openssl x509 -in diserver.crt -noout -dates
notBefore=Jan 20 06:53:09 2020 GMT
notAfter=Jan 18 06:53:09 2025 GMT

Note: Self-signed SL certificates have potential security risks. Certificates certified and practiced by authoritative authorities need to be purchased and used in production environments.

Twenty-four original articles have been published. 8. 20,000 visits+
Private letter follow

Tags: OpenSSL SSL Nginx GitLab

Posted on Thu, 06 Feb 2020 00:50:31 -0500 by archonis