Nginx生成自定义证书

1、创建存放证书的目录，此目录可自定义
cd /usr/local/nginx/conf/cret
mkdir key
cd key

先安装依赖包

yum -y install porc-devel zlib-devel popt-devel openssl-devel openssl

创建nginx用户

useradd -M -s /sbin/nologin nginx

2、执行命令生成一个key
openssl genrsa -des3 -out ssl.key 4096

Generating RSA private key, 1024 bit long modulus
....++++++
...........++++++
e is 65537 (0x10001)
Enter pass phrase for server.key: ####输入密码
Verifying - Enter pass phrase for server.key: ####再次输入密码

###grnrsa生成证书 ####ssl.key证书的名字 ####4096字节

 

 

然后会要求你输入这个key文件密码。这里不推荐输入。因为以后要给nginx使用。每次reload nginx配置的时候都要你验证这个PAM密码。
由于生成时候必须输入密码，你可以输入后在删掉。

mv ssl.key xxx.key
openssl rsa -in xxx.key -out ssl.key
rm xxx.key

3、根据这个key文件生成证书请求文件
openssl req -new -key ssl.key -out ssl.csr

 

Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:BJ ##哪个国家
State or Province Name (full name) []:BJ ##哪个市区
Locality Name (eg, city) [Default City]:BJ ##默认城市
Organization Name (eg, company) [Default Company Ltd]:BDGJ ##公司名称
Organizational Unit Name (eg, section) []:IT ##单位名称
Common Name (eg, your name or your server's hostname) []:www.benet.com ##服务器主机名等
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

其他默认回车

 

 

4、最后根据这2个文件（ssl.key ssl.csr）生成crt证书文件
openssl x509 -req -days 3650 -in ssl.csr -signkey ssl.key -out ssl.crt

 

 

这里365是证书有效期，推荐3650。这个大家随意。最后使用到的文件是key和crt文件。

5、在需要使用证书的nginx配置文件的server节点里加入一下配置就可以了。
server {

listen 8082 ssl;
server_name localhost;

ssl_certificate cert/ssl.crt;
ssl_certificate_key cert/ssl.key;
ssl_session_timeout 30m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!3DES:!ADH:!RC4:!DH:!DHE;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;

location / {
...
}

 

 

 

 

 

 

接下来就可以正常启动了

6、重启nginx就大功告成了