?一、生成服務器root證書

openssl genrsa -out root.key 2048
openssl req -new -key root.key -out root.csr#Country Name (2 letter code) [XX]:---> CN#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回車#An optional company name []:---> 回車
openssl x509 -req -days 3650 -in root.csr -signkey root.key -out root.crt

二、生成SSL服務器證書

openssl genrsa -out server.key 2048
openssl req -new -key server.key -out server.csr#Country Name (2 letter code) [XX]:---> CN#State or Province Name (full name) []:---> Shanghai#Locality Name (eg, city) [Default City]:---> Shanghai#Organization Name (eg, company) [Default Company Ltd]:---> kahn commpany#Organizational Unit Name (eg, section) []:---> xou#Common Name (eg, your name or your server's hostname) []:---> kahn.com#Email Address []:---> 37213690@qq.com#A challenge password []:---> 回車#An optional company name []:---> 回車
openssl x509 -req -in server.csr -CA root.crt -CAkey root.key -CAcreateserial -out server.crt -days 3650

#會生成如下6個文件，其中server.*用于nginx
root.crt ?root.csr ?root.key ?root.srl ?server.crt ?server.csr ?server.key

三、部署證書到nginx

下面是一個測試通過的nginx.conf內容

user  nginx nginx;
worker_processes  1;#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;#pid        logs/nginx.pid;events {worker_connections  1024;
}http {include       mime.types;default_type  application/octet-stream;#log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '#                  '$status $body_bytes_sent "$http_referer" '#                  '"$http_user_agent" "$http_x_forwarded_for"';#access_log  logs/access.log  main;sendfile        on;#tcp_nopush     on;#keepalive_timeout  0;keepalive_timeout  65;#gzip  on;server {listen       80;server_name  localhost;#charset koi8-r;#access_log  logs/host.access.log  main;location / {root   html;index  index.html index.htm;}#error_page  404              /404.html;# redirect server error pages to the static page /50x.html#error_page   500 502 503 504  /50x.html;location = /50x.html {root   html;}}# HTTPS serverserver {listen       443 ssl;server_name  kahn.com;ssl_certificate      ../ssl-certs/server.crt;ssl_certificate_key  ../ssl-certs/server.key;ssl_session_cache    shared:SSL:1m;ssl_session_timeout  5m;ssl_ciphers  HIGH:!aNULL:!MD5;ssl_prefer_server_ciphers  on;location / {alias /data/www/;index index.html index.htm;}}include ../conf.d/*.conf;
}

主要看? ? # HTTPS server
? ? server {
? ? ? ? listen ? ? ? 443 ssl;
? ? ? ? server_name ?x179.com;及以下內容。

值的注意的是，開啟https是在http{}區域內部，并且和其他server{}同級。

四、驗證ssl證書

openssl s_client -connect kahn.com:443