linux下生成https证书

一、证书和私钥的生成

1.创建服务器证书密钥文件 server.key：
openssl genrsa -des3 -out server.key 2048
输入密码，确认密码，自己随便定义，但是要记住，后面会用到。
2.创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
输出内容为：
Enter pass phrase for root.key: ← 输入前面创建的密码
Country Name (2 letter code) [AU]:CN ← 国家代号，中国输入CN
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名，拼音
Locality Name (eg, city) []:BeiJing ← 市的全名，拼音
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名
Organizational Unit Name (eg, section) []: ← 可以不输入
Common Name (eg, YOUR name) []: ← 输入域名，如：iot.conet.com
Email Address []:[email protected] ← 电子邮箱，可随意填
Please enter the following ‘extra’ attributes
to be sent with your certificate request
A challenge password []: ← 可以不输入
An optional company name []: ← 可以不输入
4.备份一份服务器密钥文件
cp server.key server.key.org
5.去除文件口令
openssl rsa -in server.key.org -out server.key
6.生成证书文件server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

二、配置证书

server {
    listen       443  ssl;
    listen       80;  #内网端口
    server_name  portal1;

    ssl_certificate        conf.d/key/server.crt;
    ssl_certificate_key    conf.d/key/server.key;

    ssl_session_cache    shared:SSL:1m;
    ssl_session_timeout  5m;

    ssl_ciphers  HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers  on;
    
    large_client_header_buffers 4 16k;
    client_body_buffer_size 128k;
    proxy_connect_timeout 600;
    proxy_read_timeout 600;
    proxy_send_timeout 600;
    proxy_buffer_size 64k;
    proxy_buffers   4 32k;
    proxy_busy_buffers_size 64k;
    proxy_temp_file_write_size 64k;

    proxy_set_header    Host                     $host:$server_port; #保留代理之前的host
    proxy_set_header    X-Real-IP                $remote_addr; #保留代理之前的真实客户端ip
    proxy_set_header    X-Forwarded-For          $proxy_add_x_forwarded_for;
    proxy_set_header    HTTP_X_FORWARDED_FOR     $remote_addr; #在多级代理的情况下，记录每次代理之前的客户端真实ip

    client_max_body_size 10m; #上传文件大小限制
    add_header X-Frame-Options SAMEORIGIN; #X-Frame-Options 低危漏洞

    proxy_intercept_errors on;
    recursive_error_pages on;
    server_tokens       off; #错误页面隐藏版本号

参考：https://www.cnblogs.com/dreasky/p/13497210.html

三、生成pem数字证书

openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout privkey.pem -out cacert.pem -days 3650

有了privkey.pem和cacert.pem文件后就可以在自己的程序中使用了, 如在nginx中使用

server {
    listen       443 ssl;
    server_name  www.a.com;

    charset utf-8;
    #access_log  /var/log/nginx/host.access.log  main;
    
    
    ssl_session_cache   shared:SSL:10m;
    ssl_session_timeout 10m;
    ssl_certificate     /etc/nginx/cacert.pem;
    ssl_certificate_key /etc/nginx/privkey.pem;
    ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on; 
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    
    add_header Access-Control-Allow-Origin *;
    add_header Access-Control-Allow-Methods *;
    add_header Access-Control-Allow-Headers *;
    add_header Access-Control-Allow-Credentials true;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    # location / {
    #     proxy_pass   http://xxx:8081/a;
    #     proxy_redirect off;
    #     proxy_set_header Host $host;
    #     proxy_set_header X-Real-IP $remote_addr;
    #     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    # }
    
    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }
}

参考：openssl生成pem数字证书_who7708的博客-CSDN博客 

四、openssl生成key和pem文件

openssl genrsa > cert.key
openssl req -new -x509 -key cert.key > cert.pem