基本モジュールインストール
#nginxのrepoを登録
$ vi /etc/yum.repos.d/nginx.repo
# nginx.repoの内容を記述して保存
[nginx]
name=nginx repo
baseurl=http://nginx.org/packages/mainline/centos/7/$basearch/
gpgcheck=0
enabled=1
#nginxのインストール
$ yum --enablerepo=nginx install nginx
#nginxの起動
$ systemctl start nginx.service
鍵と証明書の作成
秘密鍵の作成
$ openssl genrsa -aes128 1024 > server.key
Generating RSA private key, 1024 bit long modulus
.......++++++
.......................++++++
e is 65537 (0x10001)
Enter pass phrase: *****
Verifying - Enter pass phrase: *****
Verify failure
User interface error
139960119879584:error:0906906F:PEM routines:PEM_ASN1_write_bio:read key:pem_lib.c:382:
秘密鍵のパスワードを削除
$ openssl rsa -in server.key -out server.key
Enter pass phrase for server.key:
writing RSA key
公開鍵の作成
$ openssl req -new -key server.key > server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]: ***
string is too long, it needs to be less than 2 bytes long
Country Name (2 letter code) [XX]:***
State or Province Name (full name) []:***
Locality Name (eg, city) [Default City]:***
Organization Name (eg, company) [Default Company Ltd]:***
Organizational Unit Name (eg, section) []:***
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:***
An optional company name []:
証明書の作成
$ openssl x509 -in server.csr -days 365 -req -signkey server.key > server.crt
Signature ok
subject=/C=***/ST=***/L=***/O=***/OU=***
Getting Private key
Enter pass phrase for server.key: <font color="red">***</font>
証明書を定位置に移動
$ mv server.* /etc/ssl/certs/
nginxの設定
# /etc/nginx/conf.d/ssl.conf の編集
server {
listen 443 ssl;
server_name _;
ssl on;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
nginxの再起動
$ systemctl restart nginx.service
0 件のコメント:
コメントを投稿