忘れっぽいので残しておきます
// ssl 証明書用の秘密鍵を作る(パスワード設定しておく) | |
$ openssl genrsa -des3 -out privkey.pem 2048 | |
Generating RSA private key, 2048 bit long modulus | |
……+++ | |
………………+++ | |
e is 65537 (0x10001) | |
Enter pass phrase for privkey.pem: | |
Verifying – Enter pass phrase for privkey.pem: | |
// 秘密鍵から csr を作成 → 証明局に提出して ssl 証明書をもらう | |
$ openssl req -new -key privkey.pem -out server.csr | |
Enter pass phrase for server.key: | |
You are about to be asked to enter information that will be incorporated | |
into your certificate request. | |
What you are about to enter is what is called a Distinguished Name or a DN. | |
There are quite a few fields but you can leave some blank | |
For some fields there will be a default value, | |
If you enter '.', the field will be left blank. | |
—– | |
Country Name (2 letter code) [XX]:JP → 国コード (必須) | |
State or Province Name (full name) []:Tokyo → 都道府県名 (必須) | |
Locality Name (eg, city) [Default City]:Shinjuku → 市町村区 (必須) | |
Organization Name (eg, company) [Default Company Ltd]: → 会社または組織名 (必須) | |
Organizational Unit Name (eg, section) []: → 部署名 | |
Common Name (eg, your name or your server's hostname) []: → サーバ名 (必須) | |
Email Address []: → Email Address | |
Please enter the following 'extra' attributes | |
to be sent with your certificate request | |
A challenge password []: → パスワード | |
An optional company name []: → 会社または組織名 | |
// 秘密鍵をパスワード無しに変換 | |
$ cp privkey.pem privkey.pem.org | |
$ openssl rsa -in privkey.pem.org -out privkey.pem | |
// nginx.conf を修正 | |
$ vi /etc/nginx/nginx.conf | |
: | |
server { | |
listen 443 ssl http2; | |
server_name _; | |
root /var/www/html; | |
index index.html index.htm; | |
charset utf-8; | |
ssl on; | |
ssl_certificate /etc/nginx/ssl.keys/fullchain.pem; # 証明局から取得した ssl 証明書に中間CA証明書をくっつけたやつ | |
ssl_certificate_key /etc/nginx/ssl.keys/privkey.pem; | |
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
ssl_prefer_server_ciphers on; | |
ssl_ciphers AESGCM:HIGH:!aNULL:!MD5; | |
ssl_session_cache shared:SSL:10m; | |
ssl_session_timeout 5m; | |
# 以下はお好みで | |
#ssl_stapling on; | |
#ssl_stapling_verify on; | |
#ssl_trusted_certificate /etc/nginx/ssl.keys/fullchain.pem; | |
#resolver 8.8.8.8 8.8.4.4 valid=300s; | |
#resolver_timeout 5s; |
自己証明書を作りたい時は…
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
p7s から pem に変換
$ openssl pkcs7 -in server.p7s -print_certs