OPENSSL生成Nginx自有证书,
1、创建配置文件—MyCompanyCA.cnf
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = CN (2 letter code)
countryName_min = 2
countryName_max = 2
stateOrProvinceName = JiangSu
localityName = Suzhou
0.organizationName = xxxx
organizationalUnitName = technology
commonName = develop
commonName_max = 64
emailAddress = xxxxxxxx@xxx.com
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
2、配置ip或域名扩展文件—MyCompanyLocalhost.ext
[req_ext]
subjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = domain.com
IP.1 = 127.0.0.1
3、生成证书
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=company name CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
MyCompanyCA.cer
MyCompanyLocalhost.cer
MyCompanyLocalhost.pvk
4、更新Nginx配置文件
/etc/nginx
在这个目录将上面生成的
MyCompanyLocalhost.cer
MyCompanyLocalhost.pvk
拷贝过来
更新Nginx配置文件
server {
listen 443 ssl;
charset utf-8;
client_max_body_size 200m;
client_header_timeout 1m;
client_body_timeout 1m;
proxy_connect_timeout 60s;
proxy_read_timeout 1200;
proxy_send_timeout 1m;
ssl on;
ssl_certificate MyCompanyLocalhost.cer;
ssl_certificate_key MyCompanyLocalhost.pvk;
index index.html index.htm index.nginx-debian.html;
...
}