创建服务器证书密钥文件 server.key openssl genrsa -des3 -out server.key 2048 这个时候会提示输入密码 这个密码要记住
openssl语法 openssl genrsa [-out filename] [-passout arg] [-f4] [-3] [-rand file(s)] [-engine id] [numbits] [-des] [-des3] [-idea]
usage: genrsa [args] [numbits] -des encrypt the generated key with DES in cbc mode -des3 encrypt the generated key with DES in ede cbc mode (168 bit key) -idea encrypt the generated key with IDEA in cbc mode -seed encrypt PEM output with cbc seed -aes128, -aes192, -aes256 encrypt PEM output with cbc aes -camellia128, -camellia192, -camellia256 encrypt PEM output with cbc camellia -out file output the key to 'file -passout arg output file pass phrase source -f4 use F4 (0x10001) for the E value -3 use 3 for the E value -engine e use engine e, possibly a hardware device. -rand file:file:... load the file (or the files in the directory) into the random number generator
创建服务器证书的申请文件 server.csr openssl req -new -key server.key -out server.csr 会要求输入下面内容 输出内容为: Enter pass phrase for root.key: 输入前面创建的密码 Country Name ( 2 letter code) [AU]:CN 国家代号,中国输入CN State or Province Name (full name) [Some-State]:BeiJing 省的全名,拼音 Locality Name (eg, city) []:BeiJing 市的全名,拼音 Organization Name (eg, company) [Internet Widgits Pty Ltd]:Yvioo 公司英文名(可以随便输入) Organizational Unit Name (eg, section) []: 单位名 可以不输入 Common Name (eg, YOUR name) []: 输入你的名字 Email Address []:admin @mycompany .com 电子邮箱随便填 Please enter the following 'extra’ attributes to be sent with your certificate request A challenge password []: 可以不输入 An optional company name []: 可以不输入 备份一份服务器密钥文件
cp server.key server.key.org
去除文件口令 openssl rsa -in server.key.org -out server.key 会要求输入之前的密码 输入一开始的密码
生成证书文件server.crt openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
然后文件夹下会有四个文件
配置Nginx的证书
这个路径根据自己的来 # HTTPS server
#
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/share/nginx/html/ssl/server.crt;
ssl_certificate_key /usr/share/nginx/html/ssl/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
}
只允许使用ssl方式访问 对应相关的修改为 就是把上面的ssl去掉了 listen 443 ;
新增下面这个配置 ssl on
|
|
来自: wintelsui > 《好好学 Web 开发》