安裝nginx可參考：
nginx重新編譯支持ssl可參考：
接下來(lái)手動(dòng)配置ssl證書(shū)：
自己手動(dòng)頒發(fā)證書(shū)的話，那么https是不被瀏覽器認(rèn)可的，就是https上面會(huì)有一個(gè)大紅叉
下面是手動(dòng)頒發(fā)證書(shū)的操作

切換到nginx配置文件

  # cd /usr/local/nginx/conf

創(chuàng)建配置證書(shū)目錄

  # mkdir ssl  # cd ssl

1.生成私鑰

  openssl genrsa -des3 -out cert.key 1024   #生成1024的證書(shū)私鑰  Generating RSA private key, 1024 bit long modulus  ............++++++  ......................++++++  e is 65537 (0x10001)  Enter pass phrase for cert.key:  #提示輸入密碼  Verifying - Enter pass phrase for cert.key:  #確認(rèn)密碼

2.創(chuàng)建證書(shū)請(qǐng)求

  #  openssl req -new -key cert.key -out cert.csr  Enter pass phrase for cert.key:   #輸入密碼  You are about to be asked to enter information that will be incorporated  into your certificate request.  What you are about to enter is what is called a Distinguished Name or a DN.  There are quite a few fields but you can leave some blank  For some fields there will be a default value,  If you enter '.', the field will be left blank.    -----  Country Name (2 letter code) [AU]:cn   #國(guó)家  State or Province Name (full name) [Some-State]:shanghai #省份  Locality Name (eg, city) []:shanghai  #地區(qū)名字  Organization Name (eg, company) [Internet Widgits Pty   Ltd]:westos   #公司名  Organizational Unit Name (eg, section) []:linux  #部門  Common Name (e.g. server FQDN or YOUR name) []:server #CA主機(jī)名  Email Address []:root@server  #郵箱    Please enter the following 'extra' attributes  to be sent with your certificate request  A challenge password []:123456  #證書(shū)請(qǐng)求密鑰，CA讀取證書(shū)的時(shí)候需要輸入密碼  An optional company name []:123456  #公司名稱，CA讀取證書(shū)的時(shí)候需要輸入名稱

  # cp cert.key cert.key.bak

  # openssl rsa -in cert.key.bak -out cert.key  Enter pass phrase for cert.key.bak:    #輸入密碼  writing RSA key  

3.自簽署證書(shū)

·“`
#openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.pem
Signature oksubject=/C=cn/ST=shanghai/L=shanghai/O=westos/OU=linux/CN=server/emailAddress=root@server<br "="" rel="nofollow">br>subject=/C=cn/ST=shanghai/L=shanghai/O=westos/OU=linux/CN=server/emailAddress=root@server

  ![](http://i2.51cto.com/images/blog/201810/25/0645650a76a40436c026da566e3304bb.pngx-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)

  # ll  total 16  -rw-r--r-- 1 root root 749 Oct 25 15:33 cert.csr  -rw-r--r-- 1 root root 891 Oct 25 16:13 cert.key  -rw-r--r-- 1 root root 963 Oct 25 16:12 cert.key.bak  -rw-r--r-- 1 root root 920 Oct 25 16:16 cert.pem

4.將證書(shū)導(dǎo)出成瀏覽器支持的p12

  # openssl pkcs12 -export -clcerts -in cert.pem -inkey cert.key -out cert.p12  Enter Export Password:  Verifying - Enter Export Password:  [root@localhost ssl]# ls  cert.csr  cert.key  cert.key.bak  cert.p12  cert.pem

5.p12文件中導(dǎo)出公鑰和私鑰

生成cert.key文件

  openssl pkcs12 -in cert.p12 -nocerts -nodes -out cert.key

導(dǎo)出公鑰

  # openssl rsa -in cert.key -out cert_pri.pem  writing RSA key  

導(dǎo)出私鑰

  # openssl rsa -in cert.key -pubout -out cert_pub.pem