科普:
openssl中有如下后缀名的文件
.key格式:私有的密钥
.csr格式:证书签名请求(证书请求文件),含有公钥信息,certificate signing request的缩写
.crt格式:证书文件,certificate的缩写
.crl格式:证书吊销列表,Certificate Revocation List的缩写
.pem格式:用于导出,导入证书时候的证书的格式,有证书开头,结尾的格式
登录任意一台linux机器,生成自制证书
-
$ openssl genrsa -des3 -out server.key 2048
-
Enter pass phrase for server.key: 输入你的密码短语
-
-
$ openssl req -new -key server.key -out server.csr
-
Enter pass phrase for server.key: 输入你的密码短语
-
You are about to be asked to enter information that will be incorporated
-
into your certificate request.
-
What you are about to enter is what is called a Distinguished Name or a DN.
-
There are quite a few fields but you can leave some blank
-
For some fields there will be a default value,
-
If you enter '.', the field will be left blank.
-
-----
-
Country Name (2 letter code) [XX]:CN
-
State or Province Name (full name) []: 省份
-
Locality Name (eg, city) [Default City]: 城市
-
Organization Name (eg, company) [Default Company Ltd]: 公司名称
-
Organizational Unit Name (eg, section) []: 组织名称
-
Common Name (eg, your name or your server's hostname) []: 待加密的网址
-
Email Address []: 管理员邮箱, 如果你要申请正式CA颁发的证书,请填写whois的注册邮箱
-
-
Please enter the following 'extra' attribute
-
to be sent with your certificate request
A challenge password []: 密码,最好只是数字与大小写字母的组合
An optional company name []:
$ mv server.key server.key.orignal
# 下面的命令,避免在启动nginx的时候输入密码短语
$ openssl rsa -in server.key.orignal -out server.key
Enter pass phrase for server.key.orignal: 输入最开始的密码短语
writing RSA key
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
$ ll
total 16
-rw-rw-r-- 1 work work 1375 Aug 25 17:46 server.crt
-rw-rw-r-- 1 work work 1139 Aug 25 17:44 server.csr
-rw-rw-r-- 1 work work 1679 Aug 25 17:46 server.key
-rw-rw-r-- 1 work work 1751 Aug 25 17:37 server.key.orignal
最终我们需要的是server.crt 和 server.key, 最好把它们重命名为你的网址对应的crt和key,方便区分。
nginx配置
-
server {
-
listen 8000;
-
server_name 你的域名;
-
-
rewrite ^(.*) https://$server_name$1 permanent;
-
}
-
# 省略其他的配置
-
server {
-
listen 8443;
-
server_name 你的域名;
-
-
ssl on;
-
ssl_certificate /home/work/nginx/https/server.crt;
-
ssl_certificate_key /home/work/nginx/https/server.key;
-
-
location / {
-
# 省略
-
}
参考:
阅读(1725) | 评论(0) | 转发(0) |