一、生成服务器root证书

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr#Country Name (2 letter code) [XX]:---> CN#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回车#An optional company name []:---> 回车
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt

二、生成SSL服务器证书

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回车#An optional company name []:---> 回车
openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 3650

#会生成如下6个文件，其中server.*用于nginx
root.crt  root.csr  root.key  root.srl  server.crt  server.csr  server.key

三、部署证书到nginx

下面是一个测试通过的nginx.conf内容

user  nginx nginx;
worker_processes  1;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;location / {root   html;index  index.html index.htm;}#error_page  404              /404.html;# redirect server error pages to the static page /50x.html#error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS serverserver {listen       443 ssl;server_name  kahn.com;ssl_certificate      ../ssl-certs/server.crt;ssl_certificate_key  ../ssl-certs/server.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {alias /data/www/;index index.html index.htm;}}include ../conf.d/*.conf;
}

主要看    # HTTPS server
    server {
        listen       443 ssl;
        server_name  x179.com;及以下内容。

值的注意的是，开启https是在http{}区域内部，并且和其他server{}同级。

四、验证ssl证书

openssl s_client -connect kahn.com:443