OpenSSL自签发证书并实现浏览器的安全访问
openssl
传输层安全性/安全套接层及其加密库
项目地址:https://gitcode.com/gh_mirrors/ope/openssl
免费下载资源
·
前言 实现内网通过IP地址访问某系统,需要使用 https,而且不能有不安全的提示,如下图:
不允许这样的情况存在,这就需要使用 openssl 进行自签解决。
1.OpenSSL 自签证书
1.1 安装openssl
[root@master1 ~]# yum install openssl openssl-devel -y
1.2 创建证书存放位置
[root@master1 ~]# mkdir -p /etc/ssl/private
1.3 生成SSL key和CSR
192.168.199.120为安装好的网站服务机器
写入脚本
vim sh.sh
#!/bin/bash
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.120.csr -keyout 192.168.199.120.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120"
openssl x509 -req -days 365 -in 192.168.199.120.csr -signkey 192.168.199.120.key -out 192.168.199.120.crt -extfile http.ext
~
[root@master1 private]#
[root@master1 private]# sh sh.sh
192.168.199.120.crt 192.168.199.120.csr 192.168.199.120.key sh.sh
[root@master1 private]#
1.4 在nginx修改配置文件
前提
nginx必须支持ssl 如果没有ssl模块需要先添加nginx模块
[root@master1 private]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.22.0
built by gcc 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC)
built with OpenSSL 1.0.2k-fips 26 Jan 2017
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx/ --user=www --group=www --with-http_ssl_module --with-http_stub_status_module --with-pcre
[root@master1 private]#
修改nginx配置文件
修改端口号 并且添加ssl
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /etc/ssl/private/192.168.199.120.crt;
ssl_certificate_key /etc/ssl/private/192.168.199.120.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
}
[root@master1 private]# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx//conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx//conf/nginx.conf test is successful
[root@master1 private]# /usr/local/nginx/sbin/nginx -s reload
[root@master1 private]#
2.将生成的crt证书导入到chrome浏览器
将192.168.199.120.crt下载到桌面 并导入到chrome
步骤:
浏览器—设置—隐私设置和安全性—安全—管理设备证书—导入证书(在收信人的根证书办法机构)
在chrome浏览器导入证书访问
还是不能够安全的访问
3.解决谷歌导入证书不能安全访问的问题
3.1 删除所有生成的ssl文件
[root@master1 private]# rm -rf 192*
3.2 删除添加到本地的crt认证证书
3.3 创建一个http.ext文件
[root@master1 private]# vim http.ext
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName=@SubjectAlternativeName
[ SubjectAlternativeName ]
IP.1=127.0.0.1
IP.2=192.168.199.120 指定需要访问的ip
3.4 在生成key的ssl后面添加-extfile http.ext
#!/bin/bash
openssl req -new -newkey rsa:2048 -sha256 -nodes -out 192.168.199.120.csr -keyout 192.168.199.120.key -subj "/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120"
openssl x509 -req -days 365 -in 192.168.199.120.csr -signkey 192.168.199.120.key -out 192.168.199.120.crt -extfile http.ext
3.5 重新运行脚本
[root@master1 private]# sh sh.sh
Generating a 2048 bit RSA private key
......................................................................+++
........................+++
writing new private key to '192.168.199.120.key'
-----
Signature ok
subject=/C=CN/ST=Beijing/L=Beijing/O=Super Inc./OU=Web Security/CN=192.168.199.120
Getting Private key
[root@master1 private]# ls
192.168.199.120.crt 192.168.199.120.csr 192.168.199.120.key http.ext sh.sh
[root@master1 private]#
3.6 重新在本地端导入证书
重点
清空浏览器缓存
重新加载nginx配置文件
[root@master1 private]# /usr/local/nginx/sbin/nginx -s reload
4.访问
GitHub 加速计划 / ope / openssl
25.13 K
9.99 K
下载
传输层安全性/安全套接层及其加密库
最近提交(Master分支:1 个月前 )
fd39d1c8
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
3 个月前
ae87c488
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/25095)
3 个月前
更多推荐
已为社区贡献2条内容
所有评论(0)