- 创建一个私钥
openssl genrsa -des3 -out server.key 2048
注意:这一步需要输入私钥,否则会提示:You must type in 4 to 1023 characters
- 生成 CSR
openssl req -new -key server.key -out server.csr
注意:Common Name 要输入域名
- 删除私钥中的密码, 有利于自动化部署
openssl rsa -in server.key -out server.key
- 生成自签名证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
- 生成 PEM 格式的证书
openssl x509 -in server.crt -out server.pem -outform PEM
注意:server.crt和server.pem是等价的
6.nginx配置文件
server {
listen 80;
server_name baidu.com;
# return 301 https://baidu.com;
# return 301 https://$host$request_uri;
rewrite ^(.*)$ https://baidu.com permanent;
}
server {
listen 443 ssl;
server_name baidu.com;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /home/bigdata/csr/server.pem;
ssl_certificate_key /home/bigdata/csr/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
alias html/;
index index.html;
}
}