linux system issues free ssl certificate and generates self signed ssl certificate for nginx

For the installation of nginx, please refer to:
For nginx recompilation support for ssl, please refer to:
Next, configure the ssl certificate manually:
If you issue the certificate manually, then https is not recognized by the browser, that is, there will be a big red cross on https
Here's how to issue a certificate manually

Switch to nginx profile

# cd /usr/local/nginx/conf

Create configuration certificate directory

# mkdir ssl
# cd ssl

1. Generate private key

openssl genrsa -des3 -out cert.key 1024   #Generate certificate private key of 1024
Generating RSA private key, 1024 bit long modulus
............++++++
......................++++++
e is 65537 (0x10001)
Enter pass phrase for cert.key:  #Prompt for password
Verifying - Enter pass phrase for cert.key:  #Confirm password

2. Create certificate request

#  openssl req -new -key cert.key -out cert.csr
Enter pass phrase for cert.key:   #Input password
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.  
-----
Country Name (2 letter code) [AU]:cn   #Country
State or Province Name (full name) [Some-State]:shanghai #Province
Locality Name (eg, city) []:shanghai  #Area name
Organization Name (eg, company) [Internet Widgits Pty   Ltd]:westos   #Company name
Organizational Unit Name (eg, section) []:linux  #department
Common Name (e.g. server FQDN or YOUR name) []:server #CA host name
Email Address []:root@server  #mailbox

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:123456  #Certificate request key, CA needs to enter password when reading certificate
An optional company name []:123456  #Company name. When CA reads the certificate, it needs to enter the name

# cp cert.key cert.key.bak
# openssl rsa -in cert.key.bak -out cert.key
Enter pass phrase for cert.key.bak:    #Input password
writing RSA key

3. Self signed certificate

ยท```
#openssl x509 -req -days 365 -in cert.csr -signkey cert.key -out cert.pem
Signature okbr/>subject=/C=cn/ST=shanghai/L=shanghai/O=westos/OU=linux/CN=server/emailAddress=root@server
Getting Private key

![](http://i2.51cto.com/images/blog/201810/25/0645650a76a40436c026da566e3304bb.png?x-oss-process=image/watermark,size_16,text_QDUxQ1RP5Y2a5a6i,color_FFFFFF,t_100,g_se,x_10,y_10,shadow_90,type_ZmFuZ3poZW5naGVpdGk=)
# ll
total 16
-rw-r--r-- 1 root root 749 Oct 25 15:33 cert.csr
-rw-r--r-- 1 root root 891 Oct 25 16:13 cert.key
-rw-r--r-- 1 root root 963 Oct 25 16:12 cert.key.bak
-rw-r--r-- 1 root root 920 Oct 25 16:16 cert.pem

4. Export the certificate to p12 supported by browser

# openssl pkcs12 -export -clcerts -in cert.pem -inkey cert.key -out cert.p12
Enter Export Password:
Verifying - Enter Export Password:
[root@localhost ssl]# ls
cert.csr  cert.key  cert.key.bak  cert.p12  cert.pem

5. Export public key and private key in p12 file

Generate cert.key file

openssl pkcs12 -in cert.p12 -nocerts -nodes -out cert.key

Exported public key

# openssl rsa -in cert.key -out cert_pri.pem
writing RSA key


Export private key

# openssl rsa -in cert.key -pubout -out cert_pub.pem

Tags: Linux OpenSSL SSL Nginx

Posted on Mon, 02 Dec 2019 15:00:12 -0800 by 156418