Nginx配置SSL证书及浏览器信任设置
- 1.证书生成流程
- 1.1 自签名证书生成
- 1.2 CA机构模拟证书生成
- 2 Nginx配置调整
- 3 本地证书信任配置
1.证书生成流程
1.1 自签名证书生成
通过OpenSSL工具生成基础密钥对:
# 生成私钥
openssl genrsa -out private_key.pem 2048
# 创建证书请求
openssl req -new -key private_key.pem -out cert_request.csr \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Company/CN=example.com"
# 生成自签名证书
openssl x509 -req -in cert_request.csr -signkey private_key.pem -out certificate.pem -days 36500生成后需保留private_key.pem和certificate.pem文件
1.2 CA机构模拟证书生成
创建CA根证书及服务器证书的完整流程:
# 生成CA私钥与根证书
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=CA" \
-keyout ca_private.key -out ca_certificate.crt
# 生成服务器密钥
openssl genrsa -out server_private.pem 2048
# 创建证书请求
openssl req -new -key server_private.pem -out server_csr.csr \
-subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Server/CN=example.com"
# 配置扩展文件
cat > extension.conf <<EOF
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = san
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Guangdong
localityName = Shenzhen
organizationName = Server
[san]
subjectAltName = @alt_names
[alt_names]
DNS.1 = example.com
DNS.2 = backup.example.com
IP.1 = 192.168.1.100
EOF
# 生成带扩展的证书
openssl x509 -req -days 36500 -in server_csr.csr \
-CA ca_certificate.crt -CAkey ca_private.key -CAcreateserial \
-extfile extension.conf -extensions san -out server_certificate.pem2 Nginx配置调整
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /path/to/server_certificate.pem;
ssl_certificate_key /path/to/server_private.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
client_max_body_size 100m;
}3 本地证书信任配置
通过系统证书管理工具导入CA证书:
- 双击ca_certificate.crt文件
- 选择"安装证书"向导
- 将证书存储到"受信任的根证书颁发机构"
完成配置后,浏览器将识别该证书为可信来源