# 你必需确保你的服务器上安装了openssl

openssl version -a

# 成为CA颁发机构

---生成私钥(会让你设置密码)

openssl genrsa -des3 -out myCA.key 2048

---消除key的密码

openssl rsa -in myCA.key -out myCA.key

---生成pem文件

openssl req -utf8 -x509 -new -nodes -key myCA.key -sha256 -days 3650 -out myCA.pem

-加参数-utf8 是因为生成的组织和城市使用中文会乱码

# 创建CA签名证书

---生成私钥

openssl genrsa -out server.key 2048

---创建证书签名请求

openssl req -new -key server.key -out server.csr

---Common Name (e.g. server FQDN or YOUR name) []:192.168.0.162

注意：由于使用ip地址访问的，所以Common Name，输入ip即可。

---为扩展创建一个配置文件

>server.ext cat <<-EOF

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = www.baidu.com # Be sure to include the domain name here because Common Name is not so commonly honoured by itself

DNS.2 = www.sougou.com # Optionally, add additional domains (I've added a subdomain here)

IP.1 = https://abc.htmltoo.com/ # Optionally, add an IP address (if the connection which you have planned requires it)

EOF

# 创建签名证书

openssl x509 -req -in server.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial  -out server.crt -days 3650 -sha256 -extfile server.ext

-3650是证书有效期天数

# nginx项目配置文件

---找到.crt .key文件路径

ssl_certificate /Users/wxiangqian/ssl/server.crt;

ssl_certificate_key /Users/wxiangqian/ssl/server.key;

---重启NGINX

nginx -s reload