1. openssl genrsa -out ca.key 4096
  3. openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
  5. openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt
  7. server.conf
  9. openssl genrsa -out server.key 2048
  11. openssl req -new -sha256 -out server.csr -key server.key -config server.conf
  13. openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -extensions req_ext -extfile server.conf
  1. server {
  2.         listen       443 ssl;
  3.         server_name  localhost;
  4.         root    D:\websocketd-0.3.0-windows_amd64;
  5.         ssl_certificate      server.crt;
  6.         ssl_certificate_key  server.key;
  7.         ssl_session_cache    shared:SSL:1m;
  8.         ssl_session_timeout  5m;
  9.         ssl_ciphers  HIGH:!aNULL:!MD5;
  10.         ssl_prefer_server_ciphers  on;
  11.         location / {
  12.           index  index.html index.htm;
  13.           }
  14.         }

1.生成CA根证书

1.1准备ca配置文件,创建ca.conf

  1. [ req ]
  2. default_bits       = 4096
  3. distinguished_name = req_distinguished_name
  5. [ req_distinguished_name ]
  6. countryName                 = CN
  7. countryName_default         = CN
  8. stateOrProvinceName         = Guagdogn
  9. stateOrProvinceName_default = Guagdogn
  10. localityName                = Guangzhou
  11. localityName_default        = Guangzhou
  12. organizationName            = AidenPC
  13. organizationName_default    = AidenPC
  14. commonName                  = Aiden
  15. commonName_max              = 64
  16. commonName_default          = CA

1.2生成ca秘钥ca.key

openssl genrsa -out ca.key 4096

1.3生成ca证书签发请求ca.csr

openssl req -new -sha256 -out ca.csr -key ca.key -config ca.conf
配置文件中已经有默认值了,shell交互时一路回车就行。

1.4生成ca根证书 ca.crt

openssl x509 -req -days 3650 -in ca.csr -signkey ca.key -out ca.crt

2.生成终端用户证书

准备配置文件,得到server.conf

  1. [ req ]
  2. default_bits = 2048
  3. distinguished_name = req_distinguished_name
  4. req_extensions = req_ext
  6. [ req_distinguished_name ]
  7. countryName = SAN
  8. countryName_default = CN
  9. stateOrProvinceName = Guangdong
  10. stateOrProvinceName_default = Guangdong
  11. localityName = Guangzhou
  12. localityName_default = Guangzhou
  13. organizationName = AidenPC
  14. organizationName_default = AidenPC
  15. commonName = Aiden
  16. commonName_max = 64
  17. commonName_default = localhost
  19. [ req_ext ]
  20. subjectAltName = @alt_names
  22. [alt_names]
  23. DNS.1 = 192.168.30.1
  24. DNS.2 = 192.168.30.1
  25. IP = 192.168.30.111

生成秘钥,得到server.key

openssl genrsa -out server.key 2048

生成证书签发请求,得到server.csr

openssl req -new -sha256 -out server.csr -key server.key -config server.conf

用CA证书生成终端用户证书,得到server.crt

openssl x509 -req -days 3650 -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt -extensions req_ext -extfile server.conf

3.Nginx配置

  1.     server {
  2.         listen       443 ssl;
  3.         server_name  localhost;
  4.         root    D:/Server/nginx-1.8.1;# Nginx根目录
  5.         ssl_certificate      server.crt;
  6.         ssl_certificate_key  server.key;
  7.         # ssl_session_cache    shared:SSL:1m;
  8.         ssl_session_timeout  5m;
  9.         ssl_ciphers  HIGH:!aNULL:!MD5;
  10.         ssl_prefer_server_ciphers  on;
  12.         # 代理1
  13.         location ~* ^/TaxHttpService/ {
  14.           proxy_pass http://localhost:9876;
  15.         }
  17.         # 代理2
  18.         location / {
  19.           proxy_pass https://10.201.36.2:8088;
  20.         }
  21.     }

把生成好的server.crt和server.key文件放在与nginx.conf同一目录下。

4.添加CA根证书

右键ca.crt安装,安装到“受信任的根证书颁发机构”(不然server.crt还是不受信任的)