参考博客 https://blog.csdn.net/zkt286468541/article/details/80864184
# 制作CA私钥
openssl genrsa -out ca.key 2048
# 制作CA公钥/根证书
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
# 服务器端证书
# 制作服务器私钥
openssl genrsa -out server.pem 1024
openssl rsa -in server.pem -out server.key
# 生成签发请求
openssl req -new -key server.pem -out server.csr
# 用CA签发证书
openssl x509 -req -sha256 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out server.crt
# 客户端证书
# 制作私钥
openssl genrsa -out client.pem 1024
openssl rsa -in client.pem -out client.key
# 生成签发请求
openssl req -new -key client.pem -out client.csr
openssl x509 -req -sha256 -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 -out client.crt
crt格式转一个p12的证书
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt
server {
listen 48082;
server_name localhost;
ssl on;
ssl_certificate ../cer/server.crt;#配置证书位置
ssl_certificate_key ../cer/server.key;#配置秘钥位置
ssl_client_certificate ../cer/ca.crt;#双向认证
ssl_verify_client on; #双向认证
location / {
root html/tpf_test;
index index.html index.htm;
}
location ^~/api/ {
root html/tpf_test;
proxy_pass http://localhost:28081;
}
}