最近要搭一個https的測試環境,使用nginx做反向代理。
網上找過不少資料,但過程不是很完整,吃了不少虧,故把自己的操作過程總結下來。如果你剛好遇到這個問題,希望對你有幫助!
********************************分割線*************************
使用java自帶jdk生成ssl自簽名證書(以生成uat環境的ssl證書爲例)
1、打開cmd命令窗口,指定使用RSA算法生成一個頒發證書的機構,
執行命令:keytool -genkey -alias uat -keypass password -keyalg RSA -keysize 1024 -validity 365 -keystore D:/UAT/KEY/uat.keystore -storepass password
2、使用export命令導出cer證書:
執行命令:keytool -export -alias uat -keystore D:/UAT/KEY/uat.keystore -storepass password -rfc -file D:/UAT/KEY/uat.cer
3、因爲keytool不提供命令導出私鑰,所以需要編寫java類導出key,測試類如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
package test;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import sun.misc.BASE64Encoder;
public class SslKey {
public static KeyStore getKeyStore(String keyStorePath, String password) throws Exception {
FileInputStream is = new FileInputStream(keyStorePath);
KeyStore ks = KeyStore.getInstance( "JKS" );
ks.load(is, password.toCharArray());
is.close();
return ks;
}
public static PrivateKey getPrivateKey() {
try {
BASE64Encoder encoder = new BASE64Encoder();
KeyStore ks = getKeyStore( "D:/UAT/key/uat.keystore" , "password" );
PrivateKey key = (PrivateKey) ks.getKey( "uat" , "password" .toCharArray());
String encoded = encoder.encode(key.getEncoded());
System.out.println( "-----BEGIN RSA PRIVATE KEY-----" );
System.out.println(encoded);
System.out.println( "-----END RSA PRIVATE KEY-----" );
return key;
} catch (Exception e) {
return null ;
}
}
public static void main(String[] args) {
getPrivateKey();
}
}
|
算出key值如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
-----BEGIN RSA PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBAI4MMsT9ZUQg2ADjy2D3ZLxCz3QJ
mWX6TNzn66tsTCE1Dn+5WFwfL3tUSgcT+YHW6v6XG2Ph0d+4BHR9pvWtkcOi5YOt3MIcgwcWooez
5IyCTbGEYEpjtA6h2HVJs0fYZ2tf80KM4oxw3tW5sNXRNwtJ6rNiJ0lNbNgS4iWkXpyNAgMBAAEC
gYEAgFw5jJVG6zeaucMfR7KHTzA4cy0xd1umFYFmD3Q/n0ponbaJSEXODG5wrtC4CUKC/CjkUXAA
zV9mdzYMp7l/G6Tg2d47j7wRMfPSFi/Z/Q3p5bjV+hf2FOREuGB3L7NvaxpGXn+/Jw1eU6XGYHFT
t4BNeNgH/UNxfpGOqRAAMCkCQQDZ84LI2IQT2yzGVYsJbm1sDkZxVINSMlVF2AjJV0F1VHfCzogX
S979jG+ohQ18kjapC8ae9BG03dbhcMPff3irAkEApth4ZVE65angMCyTQJjoINfJeIKYsc0Og/H7
sM0+rvM/GTUvmIjx9GRrh9IlThBihp56EM55lsh0Go2ZEi6vpwJABCZ+9xQob7hcweofG67eppAf
B0l0trv+o7XZdPwUYweYwDzumoL3XBywg6UE/LpMECwJPD2pmKggz2o2UKs8wQJAXKkKLFKxoAz5
KigHW6/P8zWEeb4l6VEVx6ejfaxvLKCBIZHNLiyYG3+NzK+j8jfdUCBBcIYLNvd6q6iKI3P0LwJB
AKkB/YAmvhS219fo2nDP4ds/ICe2xsatum2Yc29nihKQ2p/5DxhLfBaSfoeb21+wpX9b5BrNxM/w
BKoG0YUvsjQ=
-----END RSA PRIVATE KEY-----
|
新建一個uat.key命名的文件,把key的內容粘貼到這個文件夾裏面:
4、到這一步,已經可以將cer證書(若需要crt證書,可以直接把cer證書文件的後綴改爲crt即可)配置到nginx中使用,但是使用此時的key需要每次訪問的時候輸入一次密碼,相當麻煩。所以最好對key文件再ssl免密碼操作一次。步驟如下:
在windows上安裝openssl轉換工具:
Win64OpenSSL-1_0_2c.exe
vcredist_x64.exe
然後再將openss的bin目錄配置到系統環境變量裏:
執行命令:rsa -in D:\UAT\key\uat.key -out D:\UAT\key\uat.key.unsecure
5、把證書文件拷貝到測試環境,並配置nginx的config文件(我事先把uat.cer文件改名爲uat.crt),如:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
|
server {
listen 443 ;
server_name www.uat.com;
ssl on;
ssl_certificate D:/UAT/KEY/uat.crt;
ssl_certificate_key D:/UAT/KEY/uat.key.unsecure;
#charset koi8-r;
access_log logs/www.uat.com.log main;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
location / {
proxy_pass http: //www.uat.com;
}
error_page 500 502 503 504 /error.html;
location = /error.html {
root html;
}
}
|
重啓nginx即可實現https訪問。因爲是自簽名的證書,所以瀏覽器訪問時需要先手動信任一下。
各步驟命令彙總:
1
2
3
4
5
6
7
|
keytool -genkey -alias uat -keypass password -keyalg RSA -keysize 1024 -validity 365 -keystore D:/UAT/KEY/uat.keystore -storepass password
keytool -export -alias uat -keystore D:/UAT/KEY/uat.keystore -storepass password -rfc -file D:/UAT/KEY/uat.cer
--使用SslKey.java轉換key
OpenSSL> rsa -in D:\UAT\key\uat.key -out D:\UAT\key\uat.key.unsecure
|