1,https证书生成
# 生成密钥server.key,需要输入密码pass openssl genrsa -des3 -out server.key 2048 # 去除server.key中的密码,防止以后重复输入 openssl rsa -in server.key -out server.key # 创建服务器证书的申请文件server.csr openssl req -new -key server.key -out server.csr # 创建CA证书 ca.crt openssl req -new -x509 -key server.key -out ca.crt -days 3650 # 创建自当前日期起有效期为期十年的服务器证书server.crt openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
2,nginx配置
server { listen 443; server_name www.server.com; ssl on; ssl_certificate /path/to/server.crt;#配置证书位置 ssl_certificate_key /path/to/server.key;#配置秘钥位置 #ssl_client_certificate ca.crt;#双向认证 #ssl_verify_client on; #双向认证 ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1; ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; ssl_prefer_server_ciphers on; location / { root html; index index.html index.htm; } }