SSLCertKit是若海[mail@anrip.com]使用DOS命令编写的,生成供Nginx使用的数字证书的小工具。
SSLCertKit调用openssl来生成数字证书,生成的证书可以给Windows或Unix(Linux)下的Nginx使用,以支持HTTPS协议。
您可以在http://www.anrip.com/sslcert找到SSLCertKit的最新版本和用法。
请按实际需要,选择以下三种用法之一:
a. CreateRootCA.bat
No Root CA key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
..........................................++++++
...............++++++
e is 65537 (0x10001)
Enter pass phrase for cert\ca.key: <=输入root ca的密码,需要记住此密码
Verifying - Enter pass phrase for cert\ca.key: <=重复输入上面的密码
Self-sign the root CA...
Enter pass phrase for cert\ca.key: <=输入上面的密码,用来签署根证书
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]: <=以下的内容,按您的实际情况填写
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [QingDao]:
Organization Name (eg, company) [anrip.com]:
Organizational Unit Name (eg, section) [Anrip Team]:
Common Name (eg, MD Root CA) []: ANRIP CA
Email Address []: admin@anrip.com
运行上面的命令后,将在Cert/目录,生成ca.key, ca.crt
b. CreateServerCert.bat
Please input the server name: server <=输入服务器的server name(这里的输入决定生成的文件名)
No cert\www.anrip.com.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [QingDao]:
Organization Name (eg, company) [anrip.com]:
Organizational Unit Name (eg, section) [Anrip Team]:
Common Name (eg, www.domain.com) []: www.anrip.com <=输入服务器的host name
Email Address []: webmaster@anrip.com
运行上面的命令后,将在Cert/目录,生成server.key,server.csr (如果你输入的server name=myserver,那么将生成myserver.*)
c. SignServerCert.bat
Please input the server name: server <=输入上面的server name
template\ca.db.index
template\ca.db.serial
已复制 2 个文件。
Singing...
Using configuration from template\sign.conf
Loading 'screen' into random state - done
Enter pass phrase for ./cert/ca.key: <=输入root ca的密码
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'CN'
stateOrProvinceName :PRINTABLE:'ShanDong'
localityName :PRINTABLE:'QingDao'
organizationName :PRINTABLE:'anrip.com'
organizationalUnitName:PRINTABLE:'Anrip Team'
commonName :PRINTABLE:'www.anrip.com'
emailAddress :IA5STRING:'webmaster@anrip.com'
Certificate is to be certified until Apr 6 15:04:55 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n] y <=输入Y确认
Write out database with 1 new entries
Data Base Updated
Verfiying...
cert\www.anrip.com.crt: OK
将在cert/目录,生成server.key, server.crt文件。
a. SelfSignCert.bat
Loading 'screen' into random state - done
Generating a 1024 bit RSA private key
.....++++++
.........++++++
writing new private key to 'cert\selfsign.pem'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [QingDao]:
Organization Name (eg, company) [anrip.com]:
Organizational Unit Name (eg, section) [Anrip Team]:
Common Name (eg, MD Root CA) []: MY CA
Email Address []: self@anrip.com
将在cert/目录,生成selfsign.pem文件。根据里面的注释拆分成server.key和server.crt。
运行 CreateServerCert.bat
Please input the server name: server <=输入服务器的server name(这里的输入决定生成的文件名)
No cert\www.anrip.com.key found, Generating one
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
........................................................++++++
..++++++
e is 65537 (0x10001)
Fill in certificate data
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or
a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [ShanDong]:
Locality Name (eg, city) [QingDao]:
Organization Name (eg, company) [anrip.com]:
Organizational Unit Name (eg, section) [Anrip Team]:
Common Name (eg, www.domain.com) []: www.anrip.com <=输入服务器的host name
Email Address []: webmaster@anrip.com
将在cert/目录,生成server.key, server.csr文件。将server.csr提交给第三方机构签署,签署后得到server.crt。
listen 443 ssl;
ssl_certificate cert/server.crt
ssl_certificate_key cert/server.key