Youngbye

[ alternate_names ]
DNS.1        = example.com
DNS.2        = www.example.com
DNS.3        = mail.example.com
DNS.4        = ftp.example.com
IP.1         = 192.168.1.1
...

1. 创建服务器证书密钥文件 server.key：
openssl genrsa -des3 -out server.key 1024
输入密码，确认密码，自己随便定义，但是要记住，后面会用到。
2. 创建服务器证书的申请文件 server.csr
openssl req -new -key server.key -out server.csr
输出内容为：
Enter pass phrase for root.key: ← 输入前面创建的密码 
Country Name (2 letter code) [AU]:CN ← 国家代号，中国输入 CN 
State or Province Name (full name) [Some-State]:BeiJing ← 省的全名，拼音 
Locality Name (eg, city) []:BeiJing ← 市的全名，拼音 
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Corp. ← 公司英文名 
Organizational Unit Name (eg, section) []: ← 可以不输入 
Common Name (eg, YOUR name) []: ← 此时不输入 
Email Address []:admin@mycompany.com ← 电子邮箱，可随意填
Please enter the following ‘extra’ attributes 
to be sent with your certificate request 
A challenge password []: ← 可以不输入 
An optional company name []: ← 可以不输入
4. 备份一份服务器密钥文件
cp server.key server.key.org
5. 去除文件口令
openssl rsa -in server.key.org -out server.key
6. 生成证书文件 server.crt
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

openssl req \
    -newkey rsa:2048 \
    -x509 \
    -nodes \
    -keyout server.key \
    -new \
    -out server.crt \
    -subj /CN=movie.xunlei.com \
    -reqexts SAN \
    -extensions SAN \
    -config <(cat /usr/local/etc/openssl/openssl.cnf \
        <(printf '[SAN]\nsubjectAltName=DNS:movie.xunlei.com')) \
    -sha256 \
    -days 3650

 server {
        listen       443 ssl;
        server_name movie.xunlei.com;

        ssl on;
        #证书 (公钥. 发送到客户端的)
        ssl_certificate ssl/server.crt;
	    #私钥,
        ssl_certificate_key ssl/server.key;
        
        error_log     /var/log/error.sjxl-person-center.com;
        access_log    /var/log/access.sjxl-person-center.com;
        

        location / {
            proxy_pass   http://127.0.0.1:8003;
        }
    }