一、生成服务器root证书
openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr#Country Name (2 letter code) [XX]:---> CN#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回车#An optional company name []:---> 回车
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt
二、生成SSL服务器证书
openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回车#An optional company name []:---> 回车
openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 3650
#会生成如下6个文件,其中server.*用于nginx
root.crt root.csr root.key root.srl server.crt server.csr server.key
三、部署证书到nginx
下面是一个测试通过的nginx.conf内容
user nginx nginx;
worker_processes 1;#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;#pid logs/nginx.pid;events {worker_connections 1024;
}http {include mime.types;default_type application/octet-stream;#log_format main '$remote_addr - $remote_user [$time_local] "$request" '# '$status $body_bytes_sent "$http_referer" '# '"$http_user_agent" "$http_x_forwarded_for"';#access_log logs/access.log main;sendfile on;#tcp_nopush on;#keepalive_timeout 0;keepalive_timeout 65;#gzip on;server {listen 80;server_name localhost;#charset koi8-r;#access_log logs/host.access.log main;location / {root html;index index.html index.htm;}#error_page 404 /404.html;# redirect server error pages to the static page /50x.html#error_page 500 502 503 504 /50x.html;location = /50x.html {root html;}}# HTTPS serverserver {listen 443 ssl;server_name kahn.com;ssl_certificate ../ssl-certs/server.crt;ssl_certificate_key ../ssl-certs/server.key;ssl_session_cache shared:SSL:1m;ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers on;location / {alias /data/www/;index index.html index.htm;}}include ../conf.d/*.conf;
}
主要看 # HTTPS server
server {
listen 443 ssl;
server_name x179.com;及以下内容。
值的注意的是,开启https是在http{}区域内部,并且和其他server{}同级。
四、验证ssl证书
openssl s_client -connect kahn.com:443