openssl https证书

最简证书

openssl  genrsa -des3 -out server.key 1024  #生成私钥（key），设置密码openssl req -new -key server.key -out server.csr   # 生成requestcp server.key  server.key.oriopenssl rsa -in server.key.ori  -out server.key  #去除私钥密码（否则启动nginx等也需要输入密码）openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt #自签名公钥

nginx配置

server {        listen 443;        server_name www.abc.com;        root /var/www/;        autoindex on;        ssl on;        ssl_certificate     /etc/nginx/sslkey/server.crt;        ssl_certificate_key /etc/nginx/sslkey/server.key;        #access_log /var/log/nginx/www.abc.com-access.log main;        #error_log /var/log/nginx/www.abc.com-error.log warn;}

自建ca，签名，单向签名（不限客户端，验证服务端）

cat /etc/ssl/openssl.cnf 修改democa为openssl工作目录
工作目录下

touch index.txt serialchmod 666 index.txt serialecho 01 >  serialmkdir -p newcerts private

ca

openssl genrsa -des3 -out ./private/ca.key 2048    #自建ca keyopenssl req -x509 -new -days 3650 -key ./private/ca.key  -out ca.crt  # ca信息与证书

server

openssl genrsa -out ./server/server.key 1024openssl req -new -key ./server/server.key  -out ./server/server.csropenssl ca -in ./server/server.csr -cert ./ca.crt -keyfile ./private/ca.key -out ./server/server.crt -days 3650  #用ca签名

[二] 不关联目录，签名
openssl x509 -req -sha256 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt