替换以下命令和配置中的your.domain为你的域名
1 生成ca.key
openssl genrsa -des3 -out ca.key 2048
输入ca.key的密码,4位以上
2 生成ca.crt
openssl req -new -x509 -days 7305 -key ca.key -out ca.crt
输入ca.key的密码
填写:Common Name (eg, your name or your server's hostname) [] 为your.domain
3 生成your.domain.pem
openssl genrsa -des3 -out your.domain.pem 1024
输入your.domain.pem的密码,4位以上
4 生成your.domain.key
openssl rsa -in your.domain.pem -out your.domain.key
输入your.domain.pem的密码
5 生成your.domain.csr
openssl req -new -key your.domain.pem -out your.domain.csr
输入your.domain.pem的密码
填写:Common Name (eg, your name or your server's hostname) [] 为your.domain
6 生成your.domain.crt
openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in your.domain.csr -out your.domain.crt
输入ca.key的密码
最后一步可能报错:
/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139707575097232:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139707575097232:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:
解决方法:
# touch /etc/pki/CA/index.txt
7 nginx配置证书
server {
listen 443 ssl;
server_name your.domain;ssl_certificate /etc/nginx/conf.d/ssl/your.domain.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/your.domain.key;