1.3由已生产的私钥生成证书请求文件CSR。 openssl rsa -in xn2.lqb.com -out xn2.lqb.com_nopwd.key
[root@Monitor ssl]# openssl rsa -in xn2.lqb.com -out xn2.lqb.com_nopwd.key
Enter pass phrase for xn2.lqb.com:
writing RSA key
[root@Monitor ssl]# openssl req -new -key xn2.lqb.com -out xn2.lqb.com.csr
Enter pass phrase for xn2.lqb.com:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:xn2.lqb.com
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:xn2.lqb.com
Email Address []:2223344@qq.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@Monitor ssl]# ls
xn2.lqb.com xn2.lqb.com.csr xn2.lqb.com_nopwd.key
1.4.证书请求文件CSR文件必须有CA的签名才能形成证书,可以将此CSR发给StartSSL(可免费)、verisign(一大笔钱)等地方由他来验证。也可以自己做CA,自己给自己颁发证书。创建一个自己签署的CA证书。openssl req -new -x509 -days 3650 -key xn2.lqb.com -out xn2.lqb.com.crt
[root@Monitor ssl]# openssl req -new -x509 -days 3650 -key xn2.lqb.com -out xn2.lqb.com.crt
xn2.lqb.com xn2.lqb.com.csr xn2.lqb.com_nopwd.key
[root@Monitor ssl]# openssl req -new -x509 -days 3650 -key xn2.lqb.com_nopwd.key -out xn2.lqb.com.crt
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CN
State or Province Name (full name) [Some-State]:Shanghai
Locality Name (eg, city) []:shanghai
Organization Name (eg, company) [Internet Widgits Pty Ltd]:lqb.com
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:xn2.lqb.com
Email Address []:
[root@Monitor ssl]# ls
xn2.lqb.com xn2.lqb.com.crt xn2.lqb.com.csr xn2.lqb.com_nopwd.key
2.查看nginx是否安装SSL模块
[root@Monitor ~]# /usr/local/nginx/sbin/nginx -V
nginx version: nginx/1.10.1
built by gcc 4.4.7 20120313 (Red Hat 4.4.7-17) (GCC)
built with OpenSSL 1.0.1e-fips 11 Feb 2013
TLS SNI support enabled
configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module --with-http_stub_status_module --with-pcre --with-http_realip_module --with-http_image_filter_module --with-debug
3.配置nginx虚拟主机文件
[root@Monitor ssl]#vim ../server.conf
server {
listen 80;
server_name xn2.lqb.com;
root /html/xn2;
# rewrite ^/(.*)$ https:xn3.lqb.com/$1 permanent;
location / {
index index.html;
# proxy_cache mycache;
# proxy_cache_valid 200 3h;
# proxy_cache_valid 301 302 10m;
# proxy_cache_valid all 1m;
# proxy_cache_use_stale error timeout http_500 http_502 http_503;
#
# proxy_pass ;
# proxy_set_header Host $host;
# proxy_set_header X-Real-IP $remote_addr;
}
location /images/
{
index index.html;
}
}
server {
listen *:443;
server_name xn2.lqb.com;
ssl on; ###位虚拟主机开启ssl支持
ssl_certificate /usr/local/nginx/conf/server/ssl/xn2.lqb.com.crt; ###为虚拟主机指定签名证书文件
ssl_certificate_key /usr/local/nginx/conf/server/ssl/xn2.lqb.com_nopwd.key; ###为虚拟主机指定私钥文件
# #ssl_session_timeout 5m; ####客户端能够重复使用存储在缓存中的会话参数时间
root /html/xn3;
location /images/ {
index index.html;
}
location / {
proxy_pass ;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}
4,在浏览器查看访问记录