|
// ssl 証明書用の秘密鍵を作る(パスワード設定しておく) |
|
$ openssl genrsa -des3 -out privkey.pem 2048 |
|
Generating RSA private key, 2048 bit long modulus |
|
……+++ |
|
………………+++ |
|
e is 65537 (0x10001) |
|
Enter pass phrase for privkey.pem: |
|
Verifying – Enter pass phrase for privkey.pem: |
|
|
|
// 秘密鍵から csr を作成 → 証明局に提出して ssl 証明書をもらう |
|
$ openssl req -new -key privkey.pem -out server.csr |
|
Enter pass phrase for server.key: |
|
You are about to be asked to enter information that will be incorporated |
|
into your certificate request. |
|
What you are about to enter is what is called a Distinguished Name or a DN. |
|
There are quite a few fields but you can leave some blank |
|
For some fields there will be a default value, |
|
If you enter '.', the field will be left blank. |
|
—– |
|
Country Name (2 letter code) [XX]:JP → 国コード (必須) |
|
State or Province Name (full name) []:Tokyo → 都道府県名 (必須) |
|
Locality Name (eg, city) [Default City]:Shinjuku → 市町村区 (必須) |
|
Organization Name (eg, company) [Default Company Ltd]: → 会社または組織名 (必須) |
|
Organizational Unit Name (eg, section) []: → 部署名 |
|
Common Name (eg, your name or your server's hostname) []: → サーバ名 (必須) |
|
Email Address []: → Email Address |
|
|
|
Please enter the following 'extra' attributes |
|
to be sent with your certificate request |
|
A challenge password []: → パスワード |
|
An optional company name []: → 会社または組織名 |
|
|
|
// 秘密鍵をパスワード無しに変換 |
|
$ cp privkey.pem privkey.pem.org |
|
$ openssl rsa -in privkey.pem.org -out privkey.pem |
|
|
|
// nginx.conf を修正 |
|
$ vi /etc/nginx/nginx.conf |
|
: |
|
server { |
|
listen 443 ssl http2; |
|
server_name _; |
|
root /var/www/html; |
|
index index.html index.htm; |
|
charset utf-8; |
|
|
|
ssl on; |
|
ssl_certificate /etc/nginx/ssl.keys/fullchain.pem; # 証明局から取得した ssl 証明書に中間CA証明書をくっつけたやつ |
|
ssl_certificate_key /etc/nginx/ssl.keys/privkey.pem; |
|
|
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
|
ssl_prefer_server_ciphers on; |
|
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5; |
|
ssl_session_cache shared:SSL:10m; |
|
ssl_session_timeout 5m; |
|
|
|
# 以下はお好みで |
|
#ssl_stapling on; |
|
#ssl_stapling_verify on; |
|
#ssl_trusted_certificate /etc/nginx/ssl.keys/fullchain.pem; |
|
#resolver 8.8.8.8 8.8.4.4 valid=300s; |
|
#resolver_timeout 5s; |