1 [root@localhost /]# openssl req -new -x509 -keyout /root/ca.key -out /root/ca.crt 2 Generating a 2048 bit RSA private key 3 .............................+++ 4 .......................................................................................................................+++ 5 writing new private key to '/root/ca.key' 6 Enter PEM pass phrase:           #输入密钥保护密码 7 Verifying - Enter PEM pass phrase:       #确认密钥保护密码 8 ----- 9 You are about to be asked to enter information that will be incorporated10 into your certificate request.11 What you are about to enter is what is called a Distinguished Name or a DN.12 There are quite a few fields but you can leave some blank13 For some fields there will be a default value,14 If you enter '.', the field will be left blank.15 -----16 Country Name (2 letter code) [XX]:CN17 State or Province Name (full name) []:xian18 Locality Name (eg, city) [Default City]:xian19 Organization Name (eg, company) [Default Company Ltd]:learn20 Organizational Unit Name (eg, section) []:it21 Common Name (eg, your name or your server's hostname) []:learner22 Email Address []:ying@126.com

[root@localhost /]# vi /etc/pki/tls/openssl.cnf####################################################################[ ca ]default_ca      = CA_default            # The default ca section####################################################################[ CA_default ]dir             = /etc/pki/CA           # Where everything is kept #证书的根目录，要记住这个目录certs           = $dir/certs            # Where the issued certs are keptcrl_dir         = $dir/crl              # Where the issued crl are keptdatabase        = $dir/index.txt        # database index file.#unique_subject = no                    # Set to 'no' to allow creation of                                        # several ctificates with same subject.new_certs_dir   = $dir/newcerts         # default place for new certs.certificate     = $dir/ca.crt           # The CA certificate  # 修改这里，表示签名时使用的证书 serial          = $dir/serial           # The current serial numbercrlnumber       = $dir/crlnumber        # the current crl number                                        # must be commented out to leave a V1 CRLcrl             = $dir/crl.pem          # The current CRLprivate_key     = $dir/private/cakey.pem# The private keyRANDFILE        = $dir/private/.rand    # private random number file

1 [root@localhost ~]# cd /etc/pki/CA/2 [root@localhost CA]# cp /root/ca.crt .3 [root@localhost CA]# ls4 ca.crt  certs  crl  newcerts  private5 [root@localhost CA]# touch index.txt6 [root@localhost CA]# touch serial7 [root@localhost CA]# echo "01" >serial

1 [root@localhost ~]# openssl genrsa -des3 -out /root/server.key 10242 Generating RSA private key, 1024 bit long modulus3 .............++++++4 .++++++5 e is 65537 (0x10001)6 Enter pass phrase for /root/server.key: #设置此密钥的保护密码7 Verifying - Enter pass phrase for /root/server.key: #确认设置此密钥的保护密码

1 [root@localhost ~]# openssl rsa -in /root/server.key -out /root/server_nopwd.key2 Enter pass phrase for /root/server.key: #输入第4步生成的密钥的保护密码 3 writing RSA key

1 [root@localhost ~]# openssl req -new -key /root/server.key -out /root/server.csr 2 Enter pass phrase for /root/server.key:  #输入第4步生成的密钥的保护密码  3 You are about to be asked to enter information that will be incorporated 4 into your certificate request. 5 What you are about to enter is what is called a Distinguished Name or a DN. 6 There are quite a few fields but you can leave some blank 7 For some fields there will be a default value, 8 If you enter '.', the field will be left blank. 9 --------下面这部分应该和创建私有证书时填的一样------------------------ 10 Country Name (2 letter code) [XX]:CN11 State or Province Name (full name) []:xian12 Locality Name (eg, city) [Default City]:xian13 Organization Name (eg, company) [Default Company Ltd]:learn14 Organizational Unit Name (eg, section) []:it15 Common Name (eg, your name or your server's hostname) []:learner16 Email Address []:ying@126.com17 ---------------------------------------------------------------- 18 Please enter the following 'extra' attributes19 to be sent with your certificate request20 A challenge password []:11111121 An optional company name []:learn

1 [root@localhost ~]# openssl ca -in /root/server.csr -out /root/server.crt -cert /root/ca.crt -keyfile /root/ca.key -config /etc/pki/tls/openssl.cnf 2 Using configuration from /etc/pki/tls/openssl.cnf 3 Enter pass phrase for /root/ca.key: #输入第1步生成的密钥的保护密码 4 Check that the request matches the signature 5 Signature ok 6 Certificate Details: 7         Serial Number: 1 (0x1) 8         Validity 9             Not Before: Nov 17 07:47:05 2016 GMT10             Not After : Nov 17 07:47:05 2017 GMT11         Subject:12             countryName               = CN13             stateOrProvinceName       = xian14             organizationName          = learn15             organizationalUnitName    = it16             commonName                = learner17             emailAddress              = ying@126.com18         X509v3 extensions:19             X509v3 Basic Constraints:20                 CA:FALSE21             Netscape Comment:22                 OpenSSL Generated Certificate23             X509v3 Subject Key Identifier:24                 8A:70:77:B0:32:42:49:AF:85:AD:79:C3:36:1F:43:A5:C5:01:15:E225             X509v3 Authority Key Identifier:26                 keyid:83:10:7A:45:18:47:D2:27:F8:A0:81:C8:FE:A8:53:9A:1E:BC:D3:7727 28 Certificate is to be certified until Nov 17 07:47:05 2017 GMT (365 days)29 Sign the certificate? [y/n]:y30 31 32 1 out of 1 certificate requests certified, commit? [y/n]y33 Write out database with 1 new entries34 Data Base Updated

1 server { 2          listen       8001 ssl; 3          server_name  x.x.x.x:8001;  4  5          ssl    on; 6          ssl_certificate /root/server.crt; 7          ssl_certificate_key /root/server_nopwd.key; 8  9          location / {10              root   /var/www/html;11              index  index.html index.htm;12          }13     }

1 [root@localhost sbin]# ./nginx -s reload

1 [root@localhost /]# cd software2 [root@localhost software]# ls3 nginx-1.10.2  nginx-1.10.2.tar.gz

1 [root@localhost software]# cd nginx-1.10.2

[root@localhost nginx-1.10.2]# ./configure --prefix=/usr/local/nginx --with-http_ssl_module

1 [root@localhost ~]# cd /usr/local/nginx/sbin/2 [root@localhost sbin]# ls3 nginx4 [root@localhost sbin]# cp nginx nginx_back_by_zhang201611175 [root@localhost sbin]# ls6 nginx  nginx_back_by_zhang20161117

1 [root@localhost sbin]# rm nginx2 rm：是否删除普通文件 "nginx"？y3 [root@localhost sbin]# cp /software/nginx-1.10.2/objs/nginx /usr/local/nginx/sbin/

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -t2 nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok3 nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -s reload

1 [root@localhost sbin]# /usr/local/nginx/sbin/nginx -V2 nginx version: nginx/1.10.23 built by gcc 4.8.5 20150623 (Red Hat 4.8.5-4) (GCC)4 built with OpenSSL 1.0.1e-fips 11 Feb 20135 TLS SNI support enabled6 configure arguments: --prefix=/usr/local/nginx --with-http_ssl_module

1 [root@localhost sbin]# ./nginx -s quit2 [root@localhost sbin]# ./nginx