最簡證書
openssl genrsa -des3 -out server.key 1024 #生成私鑰(key),設置密碼
openssl req -new -key server.key -out server.csr # 生成request
cp server.key server.key.ori
openssl rsa -in server.key.ori -out server.key #去除私鑰密碼(否則啓動nginx等也需要輸入密碼)
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt #自簽名公鑰nginx配置
server {
listen 443;
server_name www.abc.com;
root /var/www/;
autoindex on;
ssl on;
ssl_certificate /etc/nginx/sslkey/server.crt;
ssl_certificate_key /etc/nginx/sslkey/server.key;
#access_log /var/log/nginx/www.abc.com-access.log main;
#error_log /var/log/nginx/www.abc.com-error.log warn;
}
自建ca,簽名,單向簽名(不限客戶端,驗證服務端)
cat /etc/ssl/openssl.cnf 修改democa爲openssl工作目錄
工作目錄下
touch index.txt serial
chmod 666 index.txt serial
echo 01 > serial
mkdir -p newcerts privateca
openssl genrsa -des3 -out ./private/ca.key 2048 #自建ca key
openssl req -x509 -new -days 3650 -key ./private/ca.key -out ca.crt # ca信息與證書server
openssl genrsa -out ./server/server.key 1024
openssl req -new -key ./server/server.key -out ./server/server.csr
openssl ca -in ./server/server.csr -cert ./ca.crt -keyfile ./private/ca.key -out ./server/server.crt -days 3650 #用ca簽名[二] 不關聯目錄,簽名
openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
