タグ: ssl

[Nginx] CSR の作成と Nginx での ssl 設定 ( ついでに spdy も )

忘れっぽいので残しておきます

// ssl 証明書用の秘密鍵を作る(パスワード設定しておく)
$ openssl genrsa -des3 -out privkey.pem 2048
Generating RSA private key, 2048 bit long modulus
……+++
………………+++
e is 65537 (0x10001)
Enter pass phrase for privkey.pem:
Verifying – Enter pass phrase for privkey.pem:
// 秘密鍵から csr を作成 → 証明局に提出して ssl 証明書をもらう
$ openssl req -new -key privkey.pem -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
—–
Country Name (2 letter code) [XX]:JP → 国コード (必須)
State or Province Name (full name) []:Tokyo → 都道府県名 (必須)
Locality Name (eg, city) [Default City]:Shinjuku → 市町村区 (必須)
Organization Name (eg, company) [Default Company Ltd]: → 会社または組織名 (必須)
Organizational Unit Name (eg, section) []: → 部署名
Common Name (eg, your name or your server's hostname) []: → サーバ名 (必須)
Email Address []: → Email Address
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: → パスワード
An optional company name []:               → 会社または組織名
// 秘密鍵をパスワード無しに変換
$ cp privkey.pem privkey.pem.org
$ openssl rsa -in privkey.pem.org -out privkey.pem
// nginx.conf を修正
$ vi /etc/nginx/nginx.conf
:
server {
listen 443 ssl http2;
server_name _;
root /var/www/html;
index index.html index.htm;
charset utf-8;
ssl on;
ssl_certificate /etc/nginx/ssl.keys/fullchain.pem; # 証明局から取得した ssl 証明書に中間CA証明書をくっつけたやつ
ssl_certificate_key /etc/nginx/ssl.keys/privkey.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
# 以下はお好みで
#ssl_stapling on;
#ssl_stapling_verify on;
#ssl_trusted_certificate /etc/nginx/ssl.keys/fullchain.pem;
#resolver 8.8.8.8 8.8.4.4 valid=300s;
#resolver_timeout 5s;

view raw
gistfile1.txt
hosted with ❤ by GitHub

自己証明書を作りたい時は…

$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

p7s から pem に変換

$ openssl pkcs7 -in server.p7s -print_certs

[Nginx] pfx 形式の証明書を pem 形式に変換して Nginx で SSL 設定する

まず、openssl コマンドでサーバ証明書と秘密鍵を生成

$ openssl pkcs12 -in input.pfx -nodes -out output.pem
$ openssl pkcs12 -in input.pfx -nocerts -nodes -out output.key

そんで、nginx.conf で設定

server {
    listen      443 default ssl;
    server_name _;
    root        /var/www/html;
    index       index.html index.htm;
    charset     utf-8;

    ssl on;
    ssl_certificate     /path/to/output.pem;
    ssl_certificate_key /path/to/output.key;

    ssl_session_timeout 5m;
    ssl_protocols SSLv2 SSLv3 TLSv1;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    # (略)