openssl ?genrsa -des3 -out server.key 1024 ?#生成私钥(key),设置密码openssl req -new -key server.key -out server.csr ??# 生成requestcp server.key ?server.key.oriopenssl rsa -in server.key.ori ?-out server.key ?#去除私钥密码(否则启动nginx等也需要输入密码)openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt #自签名公钥nginx配置
server { ???????listen 443; ???????server_name www.abc.com; ???????root /var/www/; ???????autoindex on; ???????ssl on; ???????ssl_certificate ????/etc/nginx/sslkey/server.crt; ???????ssl_certificate_key /etc/nginx/sslkey/server.key; ???????#access_log /var/log/nginx/www.abc.com-access.log main; ???????#error_log /var/log/nginx/www.abc.com-error.log warn;}?
自建ca,签名,单向签名(不限客户端,验证服务端)
cat /etc/ssl/openssl.cnf 修改democa为openssl工作目录
工作目录下
touch index.txt serialchmod 666 index.txt serialecho 01 > ?serialmkdir -p newcerts privateca
openssl genrsa -des3 -out ./private/ca.key 2048 ???#自建ca keyopenssl req -x509 -new -days 3650 -key ./private/ca.key ?-out ca.crt ?# ca信息与证书server
openssl genrsa -out ./server/server.key 1024openssl req -new -key ./server/server.key ?-out ./server/server.csropenssl ca -in ./server/server.csr -cert ./ca.crt -keyfile ./private/ca.key -out ./server/server.crt -days 3650 ?#用ca签名[二] 不关联目录,签名
openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
openssl https证书
原文地址:http://blog.51cto.com/13606158/2088956