nginx国密证书(gmssl)安装
安装前准备
环境: centos7 1810
安装包下载地址:https://download.csdn.net/download/weixin_45548465/87512505
本文档基于此安装包安装
安装编译包依赖:
yum install-yvim lrzsz tree screen psmisc lsof tcpdump wget ntpdate gcc gcc-c++ glibc glibc-devel pcre pcre-devel openssl openssl-devel systemd-devel net-tools iotop bczipunzip zlib-devel bash-completion nfs-utils automake libxml2 libxml2-devel libxslt libxslt-devel perl perl-ExtUtils-Embed
若目标机无法上网,无法执行yum,可通过手动下载安装包,rpm执行安装,部分rpm安装包如下
参考文档:https://blog.csdn.net/weixin_45548465/article/details/124913456
软件安装
GMSSL安装
- 将安装包解压得到GmSSL-master.zip并上传到目标机器/root目录,执行命令
unzip /root/GmSSL-master.zip
cd GmSSL-master/
./config --prefix=/usr/local/gmssl
make-j4&&sudomakeinstall
- 查看是否安装成功
/usr/local/gmssl/bin/gmssl version
若提示找不到 libssl.so.1.1 库文件
建立软链接后解决,我的安装目录在/usr/local/gmssl下,执行以下命令,可以find搜索下库文件,libssl.so.1.1和libcrypto.so.1.1
ln-s /usr/local/gmssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln-s /usr/local/gmssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln-sv /usr/local/gmssl/bin/gmssl /usr/sbin/
在执行版本查看,确保gmssl安装成功
编译安装nginx,openssl换成gmssl路径
- 上传安装包,执行命令
tar xvf nginx-1.21.6.tar.gz -C /usr/local/
vim /usr/local/nginx-1.21.6/auto/lib/openssl/conf
将全部 $OPENSSL/.openssl/修改为 $OPENSSL/
CORE_INCS="$CORE_INCS$OPENSSL/include"CORE_DEPS="$CORE_DEPS$OPENSSL/include/openssl/ssl.h"CORE_LIBS="$CORE_LIBS$OPENSSL/lib/libssl.a"CORE_LIBS="$CORE_LIBS$OPENSSL/lib/libcrypto.a"
cd /usr/local/nginx-1.21.6/
./configure --prefix=/apps/nginx \
--with-http_ssl_module \
--with-http_v2_module \
--with-http_realip_module \
--with-http_stub_status_module \
--with-http_gzip_static_module \
--with-pcre \
--with-stream \
--with-stream_ssl_module \
--with-stream_realip_module \
--with-openssl=/usr/local/gmssl
make-j4&&sudomakeinstall
- 验证版本
ln-sv /apps/nginx/sbin/nginx /usr/sbin
nginx -V
编辑主配置文件 在最后面 } 上面加上下面代码 让其支持以conf结尾的子配置文件
mkdir /apps/nginx/conf/conf.d
vim /apps/nginx/conf/nginx.conf
include /apps/nginx/conf/conf.d/*.conf;}
sm2证书生成
创建相关文件和目录
mkdir /usr/local/gmssl/ssl/CA ##存放ca证书及密钥和证书请求mkdir /usr/local/gmssl/ssl/newcerts ##存放新签署证书的目录touch /usr/local/gmssl/ssl/index.txt #签署证书的数据记录文件,下面会生成index这个文件touch /usr/local/gmssl/ssl/serial #新证书签署号记录文件下,下面会生成serial这个文件touch /usr/local/gmssl/ssl/crlnumber # 吊销证书用,下面会生成这个文件echo'01'> /usr/local/gmssl/ssl/serial #给文件一个初始号echo'01'> /usr/local/gmssl/ssl/crlnumber #给文件一个初始号vim /usr/local/gmssl/ssl/openssl.cnf
dir= /usr/local/gmssl/ssl/ ##修改默认工作目录
private_key =$dir/CA/rootca.key ##根ca私钥存放路径
certificate =$dir/CA/rootcasm2.cer ##根ca公钥存放路径
添加 [ v3enc_req ]参数
[ v3enc_req ]
basicConstraints = CA:FALSE
keyUsage = keyAgreement, keyEncipherment, dataEncipherment
生成证书,注意修改生成证书的组织及域名(根据检查机构要求修改,)
gmssl ecparam -genkey-name SM2 -out /usr/local/gmssl/ssl/CA/rootca.key
gmssl req -new-x509-sm3-key /usr/local/gmssl/ssl/CA/rootca.key -out /usr/local/gmssl/ssl/CA/rootcasm2.cer -days10000-subj'/C=CN/O=HUB/OU=XINING_SM2'
gmssl ecparam -genkey-name SM2 -noout-out /usr/local/gmssl/ssl/CA/server.key
gmssl req -new-SM3-key /usr/local/gmssl/ssl/CA/server.key -out /usr/local/gmssl/ssl/CA/server.csr -subj'/C=CN/O=HUB/OU=XINING_SM2/CN=www.test.com'cd /usr/local/gmssl/ssl/CA/
gmssl x509 -req-SM3-days3650-in server.csr -extfile../openssl.cnf -extensions v3_req -CA rootcasm2.cer -CAkey rootca.key -set_serial1000000001-out server.cer
gmssl ecparam -genkey-name SM2 -noout-out server_en.key
gmssl req -new-SM3-key server_en.key -out server1.csr -subj'/C=CN/O=HUB/OU=XINING_SM2/CN=www.test.com'
gmssl x509 -req-SM3-days3650-in server1.csr -extfile../openssl.cnf -extensions v3enc_req -CA rootcasm2.cer -CAkey rootca.key -set_serial1000002001-out server_en.cer
gmssl ecparam -genkey-name SM2 -noout-out client.key
gmssl req -new-key client.key -out client.req -subj"/C=CN/O=HUB/OU=XINING_SM2/CN=client"
gmssl x509 -req-SM3-days3650-in client.req -extfile../openssl.cnf -extensions v3_req -CA rootcasm2.cer -CAkey rootca.key -CAcreateserial-out client.cer
gmssl ecparam -genkey-name SM2 -noout-out client_en.key
gmssl req -new-key client_en.key -out client_en.req -subj"/C=CN/O=HUB/OU=XINING_SM2/CN=client"
gmssl x509 -req-SM3-days3650-in client_en.req -CA rootcasm2.cer -extfile../openssl.cnf -extensions v3enc_req -CAkey rootca.key -CAcreateserial-out client_en.cer
nginx配置
- 创建配置文件
vim /apps/nginx/conf/conf.d/ssl.conf
修改配置文件,代理地址根据实际情况修改
server{
listen 443 ssl;
ssl_certificate /usr/local/gmssl/ssl/CA/server.cer;
ssl_certificate_key /usr/local/gmssl/ssl/CA/server.key;
ssl_certificate /usr/local/gmssl/ssl/CA/server_en.cer;
ssl_certificate_key /usr/local/gmssl/ssl/CA/server_en.key;
ssl_session_cache shared:SSL:1m;#开启缓存 大小1M
ssl_session_timeout 5m;# 指定客户端可以重用会话参数的时间(超时之后不可使用)#ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECC-SM4-SM3:ECDHE-SM4-SM3:SM2-WITH-SMS4-SM3:ECDHE-SM2-WITH-SMS4-GCM-SM3:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
location / {
proxy_pass http://192.168.190.178:8080;
proxy_redirect default;}}
- 启动nginx
nginx -c /apps/nginx/conf/nginx.conf
nginx -s reload
如果要代理多个服务,可以在conf.d目录下创建多个conf文件(格式为.conf), 如 ssl6002.conf
每个conf文件端口不可冲突。证书可以使用同一证书,也可以重新产生新的sm2证书,指定新的证书
本文转载自: https://blog.csdn.net/qq_44877496/article/details/138184055
版权归原作者 还寝梦佳柒 所有, 如有侵权,请联系我们删除。
版权归原作者 还寝梦佳柒 所有, 如有侵权,请联系我们删除。