JSk的keytool执行命令:
生成证书
keytool -genkeypair -alias hqtest -keyalg RSA -keysize 2048 -validity 3650 -keypass 123456 -storepass 123456 -keystore D:/hqtest.keystore
证书转成p12格式
keytool -importkeystore -srckeystore D:/hqtest.keystore -destkeystore D:/hqtest.p12 -srcstoretype JKS -deststoretype PKCS12
导出证书
keytool -exportcert -file D:/hqtest.cer -alias hqtest -keystore D:/hqtest.keystore -storepass 123456
openssl执行命令:
生成pem证书
x509 -inform der -in D:\hqtest.cer -out D:\hqtest.pem
生成key文件
pkcs12 -nocerts -nodes -in D:\hqtest.p12 -out D:\hqtest.key
生成证书交换文件
dhparam -out D:\dhparam.pem 4096
Nginx配置:
http{
server_tokens off;
include mime.types;
default_type application/octet-stream;
gzip on;
client_max_body_size 300m;
server {
#监听端口
listen 8612;
#对应的域名
server_name 192.168.0.28;
ssl on;
ssl_certificate D:\hqtest.pem;
ssl_certificate_key D:\hqtest.key;
ssl_ciphers EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256::!MD5;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.4.4 8.8.8.8 valid=300s;
resolver_timeout 5s;
ssl_prefer_server_ciphers on;
ssl_dhparam D:\dhparam.pem;
add_header Strict-Transport-Security "max-age=31536000";
add_header Content-Security-Policy "upgrade-insecure-requests;connect-src *";
location / {
proxy_pass http://127.0.0.1:8602;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
error_page 497 https://$host:$server_port$uri;
}
}