全部博文(150)
分类: 系统运维
2017-04-26 17:56:17
mkdir ssl
cd ssl openssl genrsa -out goodcompany.com.key 2048 ##生成私钥 openssl req -new -key goodcompany.com.key -out goodcompany.com.csr ##根据私钥生成证书签名申请
Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:Beijing Locality Name (eg, city) [Default City]:Chaoyang Organization Name (eg, company) [Default Company Ltd]:Good Company Organizational Unit Name (eg, section) []:DevOps Common Name (eg, your name or your server's hostname) []:*.goodcompany.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
略
发回的证书包括两部分
SSL证书
中级域名证书
将证书按照ssl证书、中级证书的顺序放入文本文件goodcompany.com.pem
GlobalSign会通过第一次注册使用的邮箱、dns的txt记录、web服务器上特定文件来确定发回证书的邮箱
openssl rsa -in goodcompany.com.key -out goodcompany.com.key.unsecure
server {
listen 80;
listen 443;
ssl on;
ssl_certificate /etc/nginx/conf.d/ssl/goodcompany.com.pem;
ssl_certificate_key /etc/nginx/conf.d/ssl/goodcompany.com.key.unsecure;
server_name xyz.goodcompany.com;
keepalive_timeout 300;
client_max_body_size 500m;
client_body_timeout 600s;
access_log /var/log/nginx/s.goluk.cn.log main;
....
}
nginx -t && nginx -s reload