#-------------------------------------------------------- # 单向认证，就是传输的数据加密过了，但是不会校验客户端的来源 # 单项SSL连接，也就是只是客户端验证服务器证书 #-------------------------------------------------------- #创建存储路径 rm -rf /usr/local/nginx/ca.1way mkdir -p /usr/local/nginx/ca.1way/ cd /usr/local/nginx/ca.1way/ #建立服务器私钥（过程需要输入密码，请记住这个密码） 生成RSA密钥 /usr/local/openssl/bin/openssl genrsa -des3 -out server.key 2048 #------------------------------------------------------------------ Enter pass phrase for server.key: zhoulf123 Verifying - Enter pass phrase for server.key: zhoulf123 #------------------------------------------------------------------ #生成一个证书请求 /usr/local/openssl/bin/openssl req -new -key server.key -out server.csr #--------------------------------------------------------------------------------------------------------------- Enter pass phrase for server.key: zhoulf123 Country Name (2 letter code) [XX]: CN                                           #国家 State or Province Name (full name) []: BEIJING                                  #区域或是省份 Locality Name (eg, city) [Default City]: BEIJING                                #地区局部名字 Organization Name (eg, company) [Default Company Ltd]: Navinfo Co.,Ltd          #机构名称：填写公司名 Organizational Unit Name (eg, section) []: GIS                                  #组织单位名称:部门名称 Common Name (eg, your name or your server's hostname) []: vw.test.zhoulf.com    #网站域名 Email Address []: xxxxxx@163.com                                                #邮箱地址 A challenge password []:                                                        #输入一个密码 An optional company name []:                                                    #一个可选的公司名称 #--------------------------------------------------------------------------------------------------------------- #输入完这些内容，就会在当前目录生成server.csr文件 cp server.key server.key.org #对于使用上面的私钥启动具有SSL功能的NGINX /usr/local/openssl/bin/openssl rsa -in server.key.org -out server.key #--------------------------------- Enter pass phrase for server.key.org: zhoulf123 #--------------------------------- #使用上面的密钥和CSR对证书进行签名 /usr/local/openssl/bin/openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

#-------------------------------------------------------- # HTTPS server server {  listen 443;  server_name localhost;  ssl on;  ssl_certificate      /usr/local/nginx/ssl.ca.1way/server.crt;  ssl_certificate_key  /usr/local/nginx/ssl.ca.1way/server.key;  ssl_session_timeout 5m;  ssl_protocols SSLv2 SSLv3 TLSv1;  ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;  ssl_prefer_server_ciphers on;  location / {   root /var/www/html;   index index.html index.htm;  } } #--------------------------------------------------------