Configure HTTPS and self signed certificate for nginx

1、 Get the certificate ready.

The steps are similar to those described in using OpenSSL to self issue the server’s HTTPS certificate. Again here.

Making CA certificate:
1 ca.key CA private key:
OpenSSL gensa - DES3 - out ca.key 2048
making the decrypted CA private key (generally unnecessary):
OpenSSL RSA - in ca.key -out ca_ decrypted.key
ca.crt CA root certificate (public key):
OpenSSL req - New - x509 - days 7305 - key ca.key -out ca.crt make and generate the certificate of the website and use CA signature for authentication. Here, assume that the website domain name is blog.creke.net generate blog.creke.net Certificate private key: OpenSSL genrsa - DES3 - out blog.creke.net .pem 1024 Making the decrypted blog.creke.net Certificate private key: OpenSSL RSA - in blog.creke.net .pem -out blog.creke.net . key generate signature request: OpenSSL req - New - key blog.creke.net .pem -out blog.creke.net . CSR in common Fill in the website domain name in the name, such as blog.creke.net Can generate a certificate to change the site, but also can use the pan domain name, such as * creke.net To generate site certificates available for all secondary domain names. Sign with Ca:

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in blog.creke.net.csr -out blog.creke.net.crt

Among them, the policy parameter allows the signed Ca and website certificate to have different country, place name and other information, and the days parameter is the signature time limit. If "I am unable to access the /… /Ca/newcerts directory/etc/PKI/TLS/ openssl.cnf Then: MKDIR - P Ca/newcerts touch CA/ index.txt Touch Ca/serial echo "01" & gt; then re execute the signature command. Finally, put ca.crt Paste the contents of to blog.creke.net . CRT. This is more important! If not, some browsers may not support it. OK, now you need the private key of the website blog.creke.net . key and website certificate blog.creke.net . CRT is ready. Next, start to configure the server.

2、 Configure nginx

Open a new virtual host and set it in the server {} section

listen 443;

ssl on;

ssl_certificate /path/to/blog.creke.net.crt;

ssl_certificate_key /path/to/blog.creke.net.key;

The path is the path of the website certificate just generated. Then use the following command to detect configuration and reload nginx: detect configuration: nginx - T reload: nginx - s reload

3、 Optimize nginx configuration

    optimize nginx performance by adding:

    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;
    

    According to the official documents, the 1m cache can store 4000 sessions. Add: keep alive to the virtual host server {} configured with HTTPS_ Timeout 70; sometimes, you will find that after the program such as phpMyAdmin logs in, it will jump to HTTP by mistake. The solution is to locate "location ~. * (PHP | PHP5)?${}" in include fcgi.conf ; or in fastcgi_ Add after param configuration:

    fastcgi_param HTTPS on;
    
    fastcgi_param HTTP_SCHEME https;
    

    Here is the official document of nginx about HTTPS, which can be used as a reference.

Note: transferred from http://blog.creke.net/762.html


Read More: