linux openssl自制证书

下面是手动颁发证书的操作:
[root@linux-node1 ~]# cd /usr/local/nginx/conf/
[root@linux-node1 conf]# mkdir ssl
[root@linux-node1 conf]# cd ssl/
[root@linux-node1 ssl]# openssl genrsa -des3 -out aoshiwei.com.key 1024
Generating RSA private key, 1024 bit long modulus
................................++++++
....................................++++++
e is 65537 (0x10001)
Enter pass phrase for aoshiwei.com.key: #提示输入密码,比如这里我输入123456
Verifying - Enter pass phrase for aoshiwei.com.key: #确认密码,继续输入123456

[root@linux-node1 ssl]# ls #查看,已生成CSR(Certificate Signing Request)文件
aoshiwei.com.key

[root@linux-node1 ssl]# openssl req -new -key aoshiwei.com.key -out aoshiwei.com.csr
Enter pass phrase for aoshiwei.com.key: #输入123456
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn #国家
State or Province Name (full name) []:beijing #省份
Locality Name (eg, city) [Default City]:beijing #地区名字
Organization Name (eg, company) [Default Company Ltd]:huanqiu #公司名
Organizational Unit Name (eg, section) []:Technology #部门
Common Name (eg, your name or your server's hostname) []:huanqiu #CA主机名
Email Address []:wangshibo@xqshijie.cn #邮箱

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456 #证书请求密钥,CA读取证书的时候需要输入密码
An optional company name []:huanqiu #-公司名称,CA读取证书的时候需要输入名称

[root@linux-node1 ssl]# ls
aoshiwei.com.csr aoshiwei.com.key

[root@linux-node1 ssl]# cp aoshiwei.com.key aoshiwei.com.key.bak
[root@linux-node1 ssl]# openssl rsa -in aoshiwei.com.key.bak -out aoshiwei.com.key
Enter pass phrase for aoshiwei.com.key.bak: #输入123456
writing RSA key
[root@linux-node1 ssl]# openssl x509 -req -days 365 -in aoshiwei.com.csr -signkey aoshiwei.com.key -out aoshiwei.com.crt
Signature ok
subject=/C=cn/ST=beijing/L=beijing/O=huanqiu/OU=Technology/CN=huanqiu/emailAddress=wangshibo@xqshijie.cn
Getting Private key
[root@linux-node1 ssl]# ll
total 24
-rw-r--r-- 1 root root 960 Sep 12 16:01 aoshiwei.com.crt
-rw-r--r-- 1 root root 769 Sep 12 15:59 aoshiwei.com.csr
-rw-r--r-- 1 root root 887 Sep 12 16:01 aoshiwei.com.key

-rw-r--r-- 1 root root 963 Sep 12 16:01 aoshiwei.com.key.bak



location / {
proxy_redirect off;
proxy_set_header X-Real-IP $remote_addr; ##$http_x_real_ip
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_pass http://wanbiao_pool$request_uri;
# proxy_pass https://wanbiao_pool;
# proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# proxy_set_header X-Forwarded-Proto https;
# proxy_redirect off;
}

阅读更多
换一批

没有更多推荐了,返回首页