大叔经验分享（103）自制https证书

替换以下命令和配置中的your.domain为你的域名

1 生成ca.key

openssl genrsa -des3 -out ca.key 2048

输入ca.key的密码，4位以上

2 生成ca.crt

openssl req -new -x509 -days 7305 -key ca.key -out ca.crt

输入ca.key的密码
填写：Common Name (eg, your name or your server's hostname) [] 为your.domain

3 生成your.domain.pem

openssl genrsa -des3 -out your.domain.pem 1024

输入your.domain.pem的密码，4位以上

4 生成your.domain.key

openssl rsa -in your.domain.pem -out your.domain.key

输入your.domain.pem的密码

5 生成your.domain.csr

openssl req -new -key your.domain.pem -out your.domain.csr

输入your.domain.pem的密码
填写：Common Name (eg, your name or your server's hostname) [] 为your.domain

6 生成your.domain.crt

openssl ca -policy policy_anything -days 1460 -cert ca.crt -keyfile ca.key -in your.domain.csr -out your.domain.crt

输入ca.key的密码

最后一步可能报错：

/etc/pki/CA/index.txt: No such file or directory
unable to open '/etc/pki/CA/index.txt'
139707575097232:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/etc/pki/CA/index.txt','r')
139707575097232:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404:

解决方法：

# touch /etc/pki/CA/index.txt

7 nginx配置证书

server {
listen 443 ssl;
server_name your.domain;

ssl_certificate /etc/nginx/conf.d/ssl/your.domain.crt;
ssl_certificate_key /etc/nginx/conf.d/ssl/your.domain.key;