[Reprint] can create a certificate using OpenSSL for https

To create a certificate that can be used by OpenSSL https

When it comes to meeting the security problem is simply to tinker a bit with nginx or after forwarding a bit better. 

Https://blog.csdn.net/joyous/article/details/80659925 

I am here to test to verify with the arm of the machine is not what is the problem.

 

Personal certificates also made fun of it, the browser is not recognized, there would have been a red security alert, but only to realize I was not the issue encrypted connection.

And Tencent Ali clouds and cloud has a single one-year free domain certificate can be used normally, the browser will not appear red "unsafe" warning, but green "safe" prompt.

The following is a self-generated certificate process.

Download OpenSSL

http://www.slproweb.com/products/Win32OpenSSL.html
here to download the openssl win64 version, and install it.

OpenSSL set up the environment

Set system environment variables
SET OPENSSL_CONF = C: /OpenSSL-Win64/bin/openssl.cfg
SET path = C: \ the OpenSSL-Win64 \ bin;% path%;

The first time you use to create the directory "newcerts"
C: \ OpenSSL-the Win32 \ bin \ PEM \ demoCA \ newcerts

create an empty file "serial" (no extension)
C: \ OpenSSL-the Win32 \ bin \ PEM \ demoCA \ Serial
 

Production CA certificate

Enter the directory C: \ OpenSSL-Win64 \ bin \ PEM

Ca.key CA private key generated
OpenSSL genrsa--out in ca.key 4096

the CA private key to decrypt the production (typically no such necessary)
OpenSSL RSA -IN in ca.key -out ca_decrypted.key

generating ca.crt CA root certificate (public key ):
OpenSSL REQ -new -key ca.key-x509--days 7304 -out ca.crt

production certificate generation site and use CA-signed certificate
beginning step if the CA certificate already exists or would like to follow, you can directly from this.

Certificate private key is generated:
OpenSSL genrsa -out server.pem 4096

certificate private key to decrypt the production:
OpenSSL rsa -IN server.pem -out server.key

generate Signing Request:
OpenSSL REQ -new -key server.pem -out Server. csr

fill in the common name in this domain, such as blog.creke.net to generate a certificate for the site, but can also use domain names such as Pan * .creke.net to generate a site certificate available to all second-level domain.
Signed with CA:

openssl ca -policy policy_anything -days 3652 -cert ca.crt -keyfile ca.key -in server.csr -out server.crt

Production process

Nginx configuration

以下是 Nginx 启用的部分配置，需要设置 ssl_certificate 和 ssl_certificate_key 指定证书和公钥，并且 listen 443，然后重新启动 Nginx，浏览器就可以用的 https://yourhost 的方式网页了。

 

转载自：
http://blog.creke.net/762.html

相关文章

 

 

http://www.cnblogs.com/gsls200808/p/4502044.html