基于Nginx网站切换HTTPS方式访问

Linux系统下生成证书

生成秘钥key,运行:   填写密码

[arcana@huangning ~]$  openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.............+++
...................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:

然后你就获得了一个server.key文件. 
以后使用此文件(通过openssl提供的命令或API)可能经常回要求输入密码,如果想去除输入密码的步骤可以使用以下命令:

[arcana@huangning ~]$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key

创建服务器证书的申请文件server.csr,运行:

openssl req -new -key server.key -out server.csr

其中Country Name填CN,Common Name填主机名也可以不填,如果不填浏览器会认为不安全.(例如你以后的url为https://abcd/xxxx….这里就可以填abcd),其他的都可以不填. 
创建CA证书:

[arcana@huangning ~]$ openssl req -new -key server.key -out server.csr
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:Shanghai 
Locality Name (eg, city) [Default City]:Shanghai   
Organization Name (eg, company) [Default Company Ltd]:dm
Organizational Unit Name (eg, section) []:dm
Common Name (eg, your name or your server's hostname) []:dilogger
Email Address []:tonyandrewhn@126.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:psc@2021
An optional company name []:dm
[arcana@huangning ~]$ 

此时,你可以得到一个ca.crt的证书,这个证书用来给自己的证书签名. 

创建自当前日期起有效期为期十年的服务器证书server.crt：

[arcana@huangning ~]$ openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
Signature ok
subject=/C=CN/ST=Shanghai/L=Shanghai/O=dm/OU=dm/CN=dilogger/emailAddress=tonyandrewhn@126.com
Getting CA Private Key

ls你的文件夹,可以看到一共生成了5个文件:

ca.crt   ca.srl    server.crt   server.csr   server.key

其中,server.crt和server.key就是你的nginx需要的证书文件. 

如何配置nginx

打开你的nginx配置文件,修改nginx.conf找到https的配置,去掉这段代码的注释.或者直接复制我下面的这段配置:

    server {
        listen       8443 default_server;
        server_name  _;
        ssl on;
        ssl_certificate /home/arcana/server.crt;#配置证书位置
        ssl_certificate_key /home/arcana/server.key;#配置秘钥位置  
        #ssl_client_certificate ca.crt;#双向认证
        ##ssl_verify_client on; #双向认证
        #ssl_session_timeout 5m;
        #ssl_protocols SSLv2 SSLv3 TLSv1;
        #ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
        #ssl_prefer_server_ciphers on;

 nginx -s reload 

访问界面示意图：

It‘s work.