使用openssl生成ssl（https）证书

openssl生成证书

[nginx@machina key]$ pwd
/app/nginx/key

1. 生成私钥
   openssl genrsa -out server.key 2048
2. 生成证书请求
   openssl req -new -key server.key -out server.csr
3. 填入信息

   [nginx@machina key]$ openssl req -new -key server.key -out server.csrYou are about to be asked to enter information that will be incorporatedinto your certificate request.What you are about to enter is what is called a Distinguished Name or a DN.There are quite a few fields but you can leave some blankFor some fields there will be a default value,If you enter '.', the field will be left blank.-----Country Name (2 letter code) [XX]:cnState or Province Name (full name) []:gdLocality Name (eg, city) [Default City]:gzOrganization Name (eg, company) [Default Company Ltd]:aiOrganizational Unit Name (eg, section) []:aiCommon Name (eg, your name or your server's hostname) []:112.96.28.206Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[nginx@machina key]$
[nginx@machina key]$ ls
old server.csr server.key

4. 备份一份服务器密钥文件cp server.key server.key.org5. 去除文件口令openssl rsa -in server.key.org -out server.key6. 生成证书文件server.crtopenssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

[nginx@machina key]$ openssl rsa -in server.key.org -out server.key
writing RSA key
[nginx@machina key]$
[nginx@machina key]$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
Signature ok
subject=/C=cn/ST=gd/L=gz/O=ai/OU=ai/CN=112.96.28.206
Getting Private key

一般只需三步：1. openssl genrsa -out server.key 20482. openssl req -new -key server.key -out server.csr3. openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt关于密码：openssl genrsa -out server.key 2048    不需要密码。openssl genrsa -des3 -out server.key 2048    需要密码。https://www.jianshu.com/p/9523d888cf77关于域名：用openssl，域名可以不输；用keystore，必须输入。