//生成ca 私钥 openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 -out ca.crt //生成ca证书 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key //生成server 私钥和证书请求文件 openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key
#创建v3.ext文件 authorityKeyIdentifier = keyid, issuer basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = test.cn //使用是ip 则使用IP.1=xxxx
//使用ca 签发server openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 3650 -sha256 -extfile v3.ext
#nginx配置 # HTTP_TO_HTTPS_END #ssl_password_file /etc/nginx/conf.d/openssl/global.pass; ssl_certificate /etc/nginx/conf.d/openssl/server.crt; ssl_certificate_key /etc/nginx/conf.d/openssl/server.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; error_page 497 https://$host$request_uri; # SSL-END
chrome 导入ca.crt
