First, make sure nginx http_ssl_module module is installed by executing nginx -V see if this module is installed, usually by nginx installed by default with this module.
Second, after the above steps to ensure a successful installation, configuration certificate and private key.
key is the private key openssl grid, usually rsa algorithm.
csr is the certificate request file, the application for a certificate. In the production csr file, you must use your own private key to sign the application, you can also set a key.
crt after the CA certificate text, (windows below, in fact crt), signed in his own key to the certificate signed by you.
1.key generation
Command: openssl genrsa -des3 -out server.key 2048
so rsa private key is generated, DES3 algorithm, OpenSSL format, 2,048 strength. server.key is key file name. To generate such a key, it requires at least a four-digit password. Without a password key may be generated by the following method:
Command: OpenSSL rsa -IN server.key -out server.key
server.key is no version of the password, we use this version.
2. Generate a crt CA
Command: openssl req -new -x509 -key server.key -out ca.crt -days 3650
generated ca.crt file is used to sign the following server.csr file.
3. csr generation method
Command: openssl req -new -key server.key -out server.csr
need to turn the importing country, region, organization, email. most important thing is to have a common name, you can write your name or domain name. If the application for https, the domain name must be consistent, otherwise it will lead to browser alerts. After generating the csr file server to the CA signing your own certificate form.
4. crt Generation
CSR file must have CA signed certificate before the formation, this file can be sent to other places verisign validated by it, to pay a lot of money, why not do it yourself CA it.
Command: openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey server.key -CAcreateserial -out server.crt
enter key key, completion of certificate generation. -CA option is indicated for csr certificate is signed, -CAkey options indicated for key signature, -CAserial indicates the serial number of files, and automatically generated -CAcreateserial specified file does not exist.
Finally generate the private key: server.key and their own SSL certificate authentication: server.crt
Certificate of merger:
Command: cat server.key server.crt> server.pem
Third, configure nginx:
1. A method
Configuration /etc/nginx/conf.d/https.conf
80 access services are forcibly redirected to port 443.
2. Method Two
Two configuration file, / etc / nginx / conf.d / http.conf and /etc/nginx/conf.d/https.conf
The method and the same effect can be achieved.