确认系统中是否已安装openssl工具,没有就安装
yum install openssl openssl-devel -y
确认/etc/pki/CA目录下是否有以下文件,没有则自行创建
mkdir -pv /etc/pki/CA/{certs,crl,newcerts,private}
touch /etc/pki/CA/{serial,index.txt}
指定证书编号
cd /etc/pki/CA
echo 01 >> serial
生成CA私钥
umask 077; openssl genrsa -out /etc/pki/CA/private/cakey.pem 4096
根据私钥生成CA证书
openssl req -new -x509 -key /etc/pki/CA/private/cakey.pem -out /etc/pki/CA/cacert.pem -days 3650
生成服务端证书
生成服务端私钥
创建要给存放服务端证书文件的目录
mkdir ./https && cd ./https
openssl genrsa -out https.pem 4096
生成服务端证书请求
# 查看证书信息
openssl x509 -in /etc/pki/CA/cacert.pem -noout -subject
# 生成证书请求
openssl req -new -key https.pem -out https.csr -days 365 -subj "/C=cn/ST=beijingshi/L=beijingshi/O=Default Company Ltd/OU=navysummer/CN=navysummer.top/emailAddress=navysummer@yeah.net"
生成服务端证书
openssl ca -in https.csr -out https.crt -days 365
Nginx上添加配置
ssl_certificate https.crt;
ssl_certificate_key https.key;