# 1、生成CA私钥 ``` openssl genrsa -out ca.key 4096 ``` # 2、生成CA证书请求 ``` openssl req -new -key ca.key -out ca.csr ``` ***ca的Common Name与其他证书不同,其他相同*** > Country Name (2 letter code) [AU]: CN # 国家名称 State or Province Name (full name) [Some-State]: Hainan # 省 Locality Name (eg, city) []: Haikou # 市 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd. # 公司名称 Organizational Unit Name (eg, section) []: Probe Institute # 组织单位名称 Common Name (e.g. server FQDN or YOUR name) []: probe.cc # ca与其他证书不同 Email Address []: # 3、生成ca证书 *ca证书有效期10年* ``` openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650 ``` # 4、生成server私钥 ``` openssl genrsa -out server.key 4096 ``` # 5、生成server证书请求文件 ``` openssl req -new -key server.key -out server.csr ``` > Country Name (2 letter code) [AU]: CN # 国家名称 State or Province Name (full name) [Some-State]: Hainan # 省 Locality Name (eg, city) []: Haikou # 市 Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd. # 公司名称 Organizational Unit Name (eg, section) []: Probe Institute # 组织单位名称 Common Name (e.g. server FQDN or YOUR name) []: api.probe.cc # 与ca不同,双向认证接口域名 Email Address []: # 6、生成server证书 *server证书有效期10年* ``` openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650 ``` # 7、生成p12格式证书 ``` openssl pkcs12 –export –clcerts –in server.crt –inkey server.key –out server.p12 ``` # 8、nginx 配置 ``` server { listen 443; server_name api.probe.cc; ssl on; ssl_certificate /etc/nginx/keys/server.crt;#配置证书位置 ssl_certificate_key /etc/nginx/keys/server.key;#配置秘钥位置 ssl_client_certificate /etc/nginx/keys/ca.crt;#双向认证 ssl_verify_client on; #双向认证 ssl_session_timeout 5m; ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置 ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #按照这个套件配置 ssl_prefer_server_ciphers on; root html; index index.html; location / { try_files $uri $uri/ =404; } } ``` # 9、安装p12证书 导出server.p12文件,并在浏览器安装。略