CentOS6+Nginx安装自己发行的SSL

2014年09月07日

在使用phpmyadmin管理数据库时,需要使用SSL链接以保护我们的数据,phpmyadmin基本就几个管理员使用,没有必要购买认证机构的SSL,自己生成就可以了。

生成证书与密钥

cd /etc/pki/tls/certs/
$ sudo make phpmyadmin.crt
[sudo] password for user01: 
umask 77 ; \
	/usr/bin/openssl genrsa -aes128 2048 > phpmyadmin.key
Generating RSA private key, 2048 bit long modulus
........................................................................................+++
.....+++
e is 65537 (0x10001)
Enter pass phrase:
Verifying - Enter pass phrase:
umask 77 ; \
	/usr/bin/openssl req -utf8 -new -key phpmyadmin.key -x509 -days 365 -out phpmyadmin.crt -set_serial 0
Enter pass phrase for phpmyadmin.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:ShangHai
Locality Name (eg, city) [Default City]:ShangHai
Organization Name (eg, company) [Default Company Ltd]:Qiai IS Corp.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:sai@qiais.com
$ ls

此命令会在/etc/pki/tls/certs下生成phpmyadmin.crt与phpmyadmin.key文件。
此步骤中
Enter pass phrase:
要求设置证书密码,请记住此密码,因为下面要用到。

将 phpmyadmin.key 移动到 /etc/pki/tls/private/

$ sudo mv phpmyadmin.key /etc/pki/tls/private/
[/code/

配置到nginx

1
server {
    listen       443 ssl;
    server_name  localhost;

    client_max_body_size 8M;

    ssl_certificate      /etc/pki/tls/certs/phpmyadmin.crt;
    ssl_certificate_key  /etc/pki/tls/private/phpmyadmin.key;

    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers   on;

    location / {
        root   /home/sai/public_html/phpmyadmin;
        index  index.php;
    }

    location ~ \.php$ {
        root           /home/user01/public_html;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include        fastcgi_params;
    }
}

server_name localhost;此处localhost换成自己的域名,例如,phpmyadmin.example.com
root /home/user01/public_html;为phpmyadmin的目录
listen 443 ssl;监听ssl端口 443,同时不要忘了在iptables中打开443端口

从新启动nginx, 这里会要求输入证书生成时的密码。

$ sudo /etc/rc.d/init.d/nginx restart
Enter PEM pass phrase:
Stopping nginx:                                            [  OK  ]
Starting nginx: Enter PEM pass phrase:
                                                           [  OK  ]
$ cd /etc/pk

每次启动nginx都需要输入ssl证书密码的话比较烦人,我们将key的pass phrase删除掉,这样重启时就不需要输入le。

$ cd /etc/pki/tls/private/
$ ls
phpmyadmin.key
$ sudo cp phpmyadmin.key phpmyadmin.key.bak
$ sudo openssl rsa -in phpmyadmin.key -out phpmyadmin.key
Enter pass phrase for phpmyadmin.key:
writing RSA key
$

通过https访问我们的站点,可以看到如下界面,不用在意https处的横杠与错号,因为这是我们自己发行的SSL证书。

スクリーンショット 2014-09-07 11.53.27