Reference materials:
http://www.cnblogs.com/lihuang/articles/4205540.html
http://blog.csdn.net/wuwo333/article/details/53020403
1. Generate the private key: get the .key file
> openssl genrsa -des3 -out fanyc.cn.key 2048Description: Generate rsa private key, des3 algorithm, 2048-bit strength, server.key is the key file name.
2. Generate CSR (Certificate Signing Request): get the .csr file
> openssl req -new -key fanyc.cn.key -out fanyc.cn.csr ----- Country Name (2 letter code) [XX]:CN State or Province Name (full name) []:JiangSu Locality Name (eg, city) [Default City]:NanJing Organization Name (eg, company) [Default Company Ltd]:SskGroup Organizational Unit Name (eg, section) []:Ssk Common Name (eg, your name or your server's hostname) []:*.fanyc.cn Email Address []:[email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: An optional company name []:
Description: You need to enter the country, region, city, organization, organizational unit, Common Name and Email in sequence.
The Common Name should be consistent with the domain name, and the pan domain name should be *.fanyc.cn.
3. Delete the password in the private key: You must enter the password every time you restart Nginx, which is too troublesome. It seems that the reload has not yet restarted.
> cp fanyc.cn.key fanyc.cn.key.org > openssl rsa -in fanyc.cn.key.org -out fanyc.cn.key
4. Generate a self-signed certificate: get the *.crt file
> openssl x509 -sha256 -req -days 3650 -in fanyc.cn.csr -signkey fanyc.cn.key -out fanyc.cn.crt
Description: -sha256: use sha256 algorithm
-days: The certificate is valid for 10 years
5. Generate the certificate file pfx used by windows
> openssl pkcs12 -export -out fanyc.cn.pfx -inkey fanyc.cn.key -in fanyc.cn.crt
6, Nginx server configuration
server{ listen 443 ssl; server_name www.fanyc.cn; ssl on; ssl_certificate /etc/nginx/ca/fanyc.cn.crt; ssl_certificate_key /etc/nginx/ca/fanyc.cn.key; location /appname { proxy_pass http://intranet address: intranet port/application name; } }
Current server Nginx version
nginx version: nginx/1.10.1 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC) built with OpenSSL 1.0.1e-fips 11 Feb 2013 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib64/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-http_auth_request_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_perl_module=dynamic --add-dynamic-module=njs-1c50334fbea6/nginx --with-threads --with-stream --with-stream_ssl_module --with-http_slice_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --with-http_v2_module --with-cc-opt='-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic'
At this point, the server has been configured and can be accessed successfully.