1、生成秘钥key,运行:
openssl genrsa -des3 -out server.key 2048
Generating RSA private key, 2048 bit long modulus
.......................................+++
.....................................................+++
e is 65537 (0x10001)
Enter pass phrase for server.key:
Verifying - Enter pass phrase for server.key:
要求输入密钥密码:要记住 (每次使用此ssl文件都会提示输入密码)
如果不想输入密码,则再接上下面一条命令
openssl rsa -in server.key -out server.key
Enter pass phrase for server.key: 上面输入的密码
writing RSA key
)
2、创建服务器证书的申请文件server.csr,运行:
openssl req -new -key server.key -out server.csr
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:otoyix
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Country Name填CN, Common Name 写域名 otoyix (www.otoyix.com中的一段) ,其他回车即可
3、创建CA证书
openssl req -new -x509 -key server.key -out ca.crt -days 3650
Common Name (eg, your name or your server's hostname) []:otoyix
4、创建自当前日期起有效期为期十年的服务器证书server.crt:
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
此时,会产生5个文件
ca.crt ca.srl server.crt server.csr server.key
Signature ok
subject=/C=CN/L=Default City/O=Default Company Ltd/CN=otoyix
Getting CA Private Key
有用的文件为 server.crt server.key,把这两人个文件加入到nginx ssl配置中即可
如:
listen 443 ssl;
ssl_certificate ssl/server.crt;
ssl_certificate_key ssl/server.key;