自建证书

创建用私钥签名的证书

生成私钥

openssl genrsa -out private.key 2048

生成证书请求

openssl req -new -key private.key -out server.csr

这一步需要填写证书信息，如

You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GD
Locality Name (eg, city) [Default City]:GZ
Organization Name (eg, company) [Default Company Ltd]:GZGZ
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:XXXXX.XXXX.com
Email Address []:xxxxxxxx@xx.comPlease enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

其中，Common Name 填写证书绑定的域名，否则证书不能通过信任验证。

生成服务器的私钥

openssl rsa -in private.key -out server.key

使用私钥生成服务器证书

openssl x509 -req -in server.csr -out server.crt -outform pem -signkey server.key -days 365 -sha256

下面的 gitlab 的自建证书过程

Generation of a Self Signed Certificate
Generation of a self-signed SSL certificate involves a simple 3-step procedure:

STEP 1: Create the server private key

openssl genrsa -out gitlab.key 2048

STEP 2: Create the certificate signing request (CSR)

openssl req -new -key gitlab.key -out gitlab.csr

STEP 3: Sign the certificate using the private key and CSR

openssl x509 -req -days 3650 -in gitlab.csr -signkey gitlab.key -out gitlab.crt

Congratulations! You now have a self-signed SSL certificate valid for 10 years.

Strengthening the server security
This section provides you with instructions to strengthen your server security. To achieve this we need to generate stronger DHE parameters.

openssl dhparam -out dhparam.pem 2048