?
//生成ca 私钥
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt
//生成ca证书
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
//生成server 私钥和证书请求文件
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
#创建v3.ext文件
authorityKeyIdentifier = keyid, issuer
basicConstraints = CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = test.cn //使用是ip 则使用IP.1=xxxx
//使用ca 签发server
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
?
#nginx配置
# HTTP_TO_HTTPS_END
#ssl_password_file /etc/nginx/conf.d/openssl/global.pass;
ssl_certificate /etc/nginx/conf.d/openssl/server.crt;
ssl_certificate_key /etc/nginx/conf.d/openssl/server.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
error_page 497 https://$host$request_uri;
# SSL-END
chrome 导入ca.crt
|