生成CA私钥
[root@client03 ~]#cd /etc/pki/CA/ ---------------进入CA目录 [root@client03 CA]#(umask 077; openssl genrsa -out private/ca.key 2048)----------生成私钥,可以生成2048或者1024位
Generating RSA private key, 2048 bit long modulus .............................................................. .......................... e is 65537 (0x10001)
生成 CA 的证书
[root@client03 CA]#openssl req -new -x509 -key private/ca.key -out cacert.crt -days 3650
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]: CN ##国家的名字 State or Province Name (full name) []:BJ ##你所在的省份 Locality Name (eg, city) [Default City]: BJ ##你所在的城市 Organization Name (eg, company) [Default Company Ltd]: maiya ##你的组织机构名(公司名) Organizational Unit Name (eg, section) []: jiaoxue Common Name (eg, your name or your server's hostname) []: ca.maiya.com ##域名 Email Address []:
生成Nginx 的私钥、申请文件、CA颁发证书
生成Nginx私钥:
[root@client03 ~]#cd /etc/nginx/ [root@client03 nginx]#mkdir ssl [root@client03 nginx]#cd ssl/ [root@client03 ssl]# (umask 077; openssl genrsa -out nginx.key 2048)
Generating RSA private key, 2048 bit long modulus ............ ................................................. e is 65537 (0x10001)
[root@client03 ssl]# ls ---------------------生成nginx私钥 nginx.key
生成申请文件
[root@client03 ssl]# openssl req -new -key nginx.key -out nginx.csr
You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, ##If you enter '.', the field will be left blank. Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:BJ Locality Name (eg, city) [Default City]:BJ Organization Name (eg, company) [Default Company Ltd]:maiya Organizational Unit Name (eg, section) []:jiaoxue Common Name (eg, your name or your server's hostname) []:web.maiya.com Email Address []: Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
[root@client03 ssl]# ls nginx.csr nginx.key
向CA提交申请文件
[root@client03 ssl]# cp nginx.csr /etc/pki/CA/
CA颁发证书
[root@client03 ssl]# cd /etc/pki/CA/ [root@client03 CA]# openssl ca -in nginx.csr -out nginx.crt -days 365
将证书绑定在Nginx上
在nginx的配置文件添加如下内容:
server { listen 443 ssl http2 default_server; server_name web.maiya.com; root /usr/share/nginx/html; ssl_certificate "/etc/nginx/ssl/nginx.crt"; ssl_certificate_key "/etc/nginx/ssl/nginx.key"; ssl_session_cache shared:SSL:1m; ssl_session_timeout 10m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; }
