今天花了点时间研究了SSL，发现好多免费的都不怎么靠谱，收费的也五花八门。最终选择了大品牌godaddy，先简单介绍下SSL https证书。证书主要分为三种

1. DV，主要是验证域名，最便宜最实用
2. OV，验证组织，不知道干嘛的
3. EV ，验证公司，在地址栏也会显示公司名字，非常酷炫，但是巨贵，一般用于有付款的网站

我搞了个UCC，后来发现和正常不一样，他是一个主域名，几个别名。不过只需要生成一次用起来一样。只是生成方式不太相同，网上找了半天没找到，后来自己搞定了，贴出来给大家。

1. 去一个目录，比如，/etc/nginx/ssl
2. 生成一个key，openssl genrsa -out nginx.key 2048
3. 创建一个配置文件

[ req ]
default_bits = 2048
default_keyfile = nginx.key
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Virginia
localityName = Locality Name (eg, city)
localityName_default = Alexandria
organizationName = Organization Name (eg, company)
organizationName_default = Jingenius, LLC
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = Jingenius, LLC
commonName = Common Name (eg, YOUR name)
commonName_default = jing.do
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = pjsky@foxmail.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = blog.jing.do
DNS.2 = xxx.com
DNS.3 = ss.com

4.生成csr。openssl req -new   -key nginx.key -out nginx.csr  -config san.cfg

———————————顺便写下正常的证书怎么做—————————————-

sudo mkdir /etc/nginx/ssl
cd /etc/nginx/ssl

#生成private key

sudo openssl genrsa -des3 -out server.key 2048

这里问你输入一个passphrase,选择一个容易记得，下一步会需要输入。

#生成 CSR

sudo openssl req -new -key server.key -out server.csr

Country Name (2 letter code) [AU]:US #国家代码
State or Province Name (full name) [Some-State]:New York #省份
Locality Name (eg, city) []:NYC #城市
Organization Name (eg, company) [Internet Widgits Pty Ltd]:Awesome Inc #公司名称
Organizational Unit Name (eg, section) []: #部门名称
Common Name (e.g. server FQDN or YOUR name) []: www.example.com
Email Address []: admin@example.com #管理员邮箱

————————Nginx———————–

server {
listen 443;
server_name example.com;

root /usr/share/nginx/www;
index index.html index.htm;

ssl on;
ssl_certificate /etc/nginx/ssl/server.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
}

如果想把 http 的请求转到 https 的话：

server {
listen 80;
server_name example.me;
rewrite ^ https://$server_name$request_uri? permanent;
}