117笔记问答在CentOS系统上使用OpenSSL进行证书管理是一个常见的需求,尤其是在配置SSL/TLS加密通信时。以下是一些基本的步骤和命令,帮助你生成、安装和管理OpenSSL证书。
安装OpenSSL
首先,确保你的CentOS系统已经安装了OpenSSL。如果没有安装,可以使用以下命令进行安装:
sudo yum install openssl openssl-devel
生成自签名证书
- 生成CA私钥:
openssl genrsa -out rootCA.key 2048
- 创建并自签名根证书:
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
- 生成服务器证书:
openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=tietou/CN=server.tietou.com" openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500
- 生成客户端证书(可选):
openssl genrsa -out client.key 2048 openssl req -new -key client.key -out client.csr -subj "/C=CN/ST=Beijing/L=Beijing/O=tietou/CN=client.tietou.com" openssl x509 -req -in client.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out client.crt -days 500
配置Nginx使用SSL证书
- 编辑Nginx配置文件:
sudo nano /etc/nginx/conf.d/ssl.conf
- 添加以下内容:
server {
listen 443 ssl;
server_name yourdomain.com;
ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/private/server.key;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA';
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
location / {
root /var/www/html;
index index.html index.htm;
}
}
- 测试Nginx配置并重新加载:
sudo nginx -t sudo systemctl reload nginx
删除OpenSSL证书
- 删除证书文件:
sudo rm /etc/pki/tls/certs/server.crt sudo rm /etc/pki/tls/private/server.key
- 删除证书相关的配置文件(如果有的话):
sudo rm /etc/nginx/conf.d/ssl.conf
- 清理残留的依赖关系和缓存文件:
sudo yum clean all sudo rm -rf /var/cache/yum