1.生成CA根证书
(1)创建私钥
openssl genrsa -out rootCA.key 2048
(2)创建CA根证书
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.crt
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:changsha
Locality Name (eg, city) []:changsha
Organization Name (eg, company) [Internet Widgits Pty Ltd]:pit
Organizational Unit Name (eg, section) []:pit
Common Name (eg, YOUR name) []:172.22.201.222
Email Address []:pit@qq.com
2.生成CA自签证书
(1)创建私钥
openssl genrsa -out server.key 2048
(2)编辑openssl.cnf文件,修改 IP.1,IP.2,DNS.1的配置
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 172.22.201.222
IP.2 =
DNS.1 =
[ v3_ca ]
创建CSR文件(注意确认/etc/pki/tls/openssl.cnf路径)
openssl req -new -key server.key -out server.csr -config /etc/pki/tls/openssl.cnf -extensions v3_req
注意:输入与创建CA根证书时相同的信息。Common Name 输入服务器的Ip或域名(172.22.201.222)
(3)使用CA根证书签名CSR,注意: server.crt 的时间期限(-days)不能超过CA根证书的时间期限
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extensions v3_req -extfile /etc/pki/tls/openssl.cnf
3.在Nginx配置文件nginx.conf中添加配置信息,配置ssl_certificate和ssl_certificate_key
server {
listen 12123 ssl;
server_name localhost;ssl_certificate /etc/pki/tls/certs/server.crt;
ssl_certificate_key /etc/pki/tls/certs/server.key;ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;#接口地址代理
location / {
root html;
index index.html index.htm;
}
}