1、前提条件
linux服务器,安装了jdk和openssl
安装jdk网上很多了,openssl也可直接在线安装
yum install openssl openssl-devel -y
2、生成nginx可用的key和pem文件
2.1、生成jks文件(有效期100年)
keytool -genkey -alias kshttps -keyalg RSA -keysize 2048 -validity 36524 -keystore /home/account/kshttps.jks
[account@localhost ~]$ keytool -genkey -alias kshttps -keyalg RSA -keysize 2048 -validity 36500 -keystore /home/account/kshttps.jks
Enter keystore password:
Re-enter new password:
What is your first and last name?
[Unknown]: xx
What is the name of your organizational unit?
[Unknown]: xx
What is the name of your organization?
[Unknown]: xx
What is the name of your City or Locality?
[Unknown]: Wuhan
What is the name of your State or Province?
[Unknown]: Hubei
What is the two-letter country code for this unit?
[Unknown]: CN
Is CN=xx, OU=xx, O=xx, L=Wuhan, ST=Hubei, C=CN correct?
[no]: y
Enter key password for <kshttps>
(RETURN if same as keystore password):
Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore /home/account/kshttps.jks -destkeystore /home/account/kshttps.jks -deststoretype pkcs12".
2.2、将jks转换成pkcs12格式
keytool -importkeystore -srckeystore /home/account/kshttps.jks -destkeystore /home/account/kshttps.pkcs12 -deststoretype pkcs12
2.3、pkcs12转pem
openssl pkcs12 -nodes -in /home/account/kshttps.pkcs12 -out /home/account/kshttps.pem
2.4、提取私钥key文件
openssl pkcs12 -nocerts -nodes -in /home/account/kshttps.pkcs12 -out /home/account/kshttps.key
3、nginx中配置key和pem文件,重启nginx即可生效
ssl_certificate /home/account/nginx/ssl/kshttps.pem;
ssl_certificate_key /home/account/nginx/ssl/kshttps.key;
4、如果在springboot中直接使用ssl
直接在application.yml文件中添加配置。kshttps.pkcs12是上述生成的pkcs12格式文件
server:
ssl:
key-store-type: pkcs12
key-store-password: XX
key-store: ./kshttps.pkcs12