1. 创建一个私钥
openssl genrsa -des3 -out server.key 2048
2. 生成 CSR Common Name 要输入域名
openssl req -new -key server.key -out server.csr
3. 删除私钥中的密码, 有利于自动化部署
openssl rsa -in server.key -out server.key
4. 生成自签名证书
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
5. 生成 PEM 格式的证书
openssl x509 -in server.crt -out server.pem -outform PEM
6. nginx 配置
server {
listen 80;
server_name baidu.com;
# return 301 https://baidu.com;
# return 301 https://$host$request_uri;
rewrite ^(.*)$ https://baidu.com permanent;
}
server {
listen 443 ssl;
server_name baidu.com;
keepalive_timeout 70;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers AES128-SHA:AES256-SHA:RC4-SHA:DES-CBC3-SHA:RC4-MD5;
ssl_certificate /home/bigdata/csr/server.pem;
ssl_certificate_key /home/bigdata/csr/server.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;
location / {
alias html/;
index index.html;
}
}