73 lines
No EOL
2.5 KiB
Markdown
73 lines
No EOL
2.5 KiB
Markdown
# 1、生成CA私钥
|
||
```
|
||
openssl genrsa -out ca.key 4096
|
||
```
|
||
# 2、生成CA证书请求
|
||
```
|
||
openssl req -new -key ca.key -out ca.csr
|
||
```
|
||
***ca的Common Name与其他证书不同,其他相同***
|
||
> Country Name (2 letter code) [AU]: CN # 国家名称
|
||
State or Province Name (full name) [Some-State]: Hainan # 省
|
||
Locality Name (eg, city) []: Haikou # 市
|
||
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd. # 公司名称
|
||
Organizational Unit Name (eg, section) []: Probe Institute # 组织单位名称
|
||
Common Name (e.g. server FQDN or YOUR name) []: probe.cc # ca与其他证书不同
|
||
Email Address []:
|
||
|
||
# 3、生成ca证书
|
||
*ca证书有效期10年*
|
||
```
|
||
openssl x509 -req -in ca.csr -out ca.crt -signkey ca.key -CAcreateserial -days 3650
|
||
```
|
||
|
||
# 4、生成server私钥
|
||
```
|
||
openssl genrsa -out server.key 4096
|
||
```
|
||
# 5、生成server证书请求文件
|
||
```
|
||
openssl req -new -key server.key -out server.csr
|
||
```
|
||
> Country Name (2 letter code) [AU]: CN # 国家名称
|
||
State or Province Name (full name) [Some-State]: Hainan # 省
|
||
Locality Name (eg, city) []: Haikou # 市
|
||
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Probe ( Hai Nan ) Investment Co., Ltd. # 公司名称
|
||
Organizational Unit Name (eg, section) []: Probe Institute # 组织单位名称
|
||
Common Name (e.g. server FQDN or YOUR name) []: api.probe.cc # 与ca不同,双向认证接口域名
|
||
Email Address []:
|
||
|
||
# 6、生成server证书
|
||
*server证书有效期10年*
|
||
```
|
||
openssl x509 -req -in server.csr -out server.crt -signkey server.key -CA ca.crt -CAkey ca.key -CAcreateserial -days 3650
|
||
```
|
||
|
||
# 7、生成p12格式证书
|
||
```
|
||
openssl pkcs12 –export –clcerts –in server.crt –inkey server.key –out server.p12
|
||
```
|
||
|
||
# 8、nginx 配置
|
||
```
|
||
server {
|
||
listen 443;
|
||
server_name api.probe.cc;
|
||
ssl on;
|
||
ssl_certificate /etc/nginx/keys/server.crt;#配置证书位置
|
||
ssl_certificate_key /etc/nginx/keys/server.key;#配置秘钥位置
|
||
ssl_client_certificate /etc/nginx/keys/ca.crt;#双向认证
|
||
ssl_verify_client on; #双向认证
|
||
ssl_session_timeout 5m;
|
||
ssl_protocols SSLv2 SSLv3 TLSv1 TLSv1.1 TLSv1.2; #按照这个协议配置
|
||
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE; #按照这个套件配置
|
||
ssl_prefer_server_ciphers on;
|
||
root html;
|
||
index index.html;
|
||
location / {
|
||
try_files $uri $uri/ =404;
|
||
}
|
||
}
|
||
```
|
||
# 9、安装p12证书
|
||
导出server.p12文件,并在浏览器安装。略 |