OpenSSL An open source toolkit for the Transport Layer Security (TLS) protocol, formerly known as the Secure Sockets Layer protocol.
Risks of Self-Signed SSL Certificates
Self-signed SSL certificates are not trusted by browsers. Even if a website has a self-signed SSL certificate installed, the browser will continue to pop up warnings when users visit.
For the security of the website, please stop using self-signed SSL certificates, and recommend using free and secure SSL certificates provided by trusted CA institutions.
generation steps
Generate private key via openssl
openssl genrsa -out server.key 1024
Generate a certificate application file csr based on the private key
openssl req -new -key server.key -out server.csr
This step will prompt you to add some information, Common Name can enter: *.yourdomain.com, this way to generate a wildcard domain name certificate.
Generate a certificate by signing the certificate request with the private key
openssl x509 -req -in server.csr -out server.crt -signkey server.key -days 3650
➜ ssl ls
server.crt server.csr server.key
In this way, a self-signed certificate valid for 10 years is generated, and it can be installed on the service. If you use Nginx:
server {
listen 443 ssl http2;
server_name youdomain.com;
root /data/dist/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
ssl_certificate "/etc/nginx/ssl/server.crt";
ssl_certificate_key "/etc/nginx/ssl/server.key";
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
}
Go to the browser to view, it prompts:
So, go directly to the CA agency to issue the certificate.