PS:内部测试使用openssl,生产使用需要购买
[root@VM-16-15-centos ~]# cd /usr/local/nginx/
[root@VM-16-15-centos nginx]# mkdir ssl
[root@VM-16-15-centos nginx]# cd ssl/
[root@VM-16-15-centos ssl]# openssl genrsa -des3 -out admin.key 2048
Generating RSA private key, 2048 bit long modulus
..................+++
........................................................................................................+++
e is 65537 (0x10001)
Enter pass phrase for admin.key: [123456]
Verifying - Enter pass phrase for admin.key: [123456]
[root@VM-16-15-centos ssl]# openssl req -new -key admin.key -out admin.csr
Enter pass phrase for admin.key: [123456]
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
#正常需要依次输入国家,地区,城市,组织,组织单位,此处为内网用直接全部回车即可;
Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
[root@VM-16-15-centos ssl]# openssl rsa -in admin.key -out admin.key
Enter pass phrase for admin.key: [123456]
writing RSA key
[root@VM-16-15-centos ssl]# openssl x509 -req -days 365 -in admin.csr -signkey admin.key -out admin.crt
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting Private key
PS:有些服务,需要有pem格式的证书才能正常加载;
[root@VM-16-15-centos ssl]# openssl x509 -in admin.crt -out admin.pem -outform PEM
[root@VM-16-15-centos ssl]# ls
admin.crt admin.csr admin.key admin.pem
[root@VM-16-15-centos ~]# cd /usr/local/nginx/conf/
[root@VM-16-15-centos conf]# vim nginx.conf
......
#在配置文件中找到https断了去掉注释指向创建好的ssl证书路径;
# HTTPS server
server {
listen 443 ssl;
server_name localhost;
ssl_certificate /usr/local/nginx/ssl/admin.pem;
ssl_certificate_key /usr/local/nginx/ssl/admin.key;
# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;
# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;
location / {
root html;
index index.html index.htm index.php;
}
location ~ \.php$ {
root html;
fastcgi_pass 10.0.16.15:9000;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}
......
[root@VM-16-15-centos conf]# systemctl restart nginx
测试访问: