   openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
   Country Name (2 letter code) [AU]:
   State or Province Name (full name) [Some-State]:
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
   Organizational Unit Name (eg, section) []:
   Common Name (e.g. server FQDN or YOUR name) []:
   Email Address []:
   填入組織名稱等信息

4.生成server端的私鑰

openssl genrsa -out server.key 4096

5.生成 server 端數(shù)字證書請求

   openssl req -new -key server.key -out server.csr
   Country Name (2 letter code) [AU]:CN
   State or Province Name (full name) [Some-State]:Shanghai
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:Sidien Test
   Organizational Unit Name (eg, section) []:
   Common Name (e.g. server FQDN or YOUR name) []:192.168.0.162
   Email Address []:

   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
  輸入相關信息和密碼

6.用 CA 私鑰簽發(fā) server 的數(shù)字證書

openssl  x509 -req -in server.csr  -CA  ca.crt  -CAkey  ca.key  -CAcreateserial -out  server.crt  -days  3650

7. 生成客戶端私鑰

openssl  genrsa  -out  client.key  4096

8. 生成客戶端數(shù)字請求證書

  openssl req -new -key client.key -out client.csr
   Country Name (2 letter code) [AU]:
   State or Province Name (full name) [Some-State]:
   Locality Name (eg, city) []:
   Organization Name (eg, company) [Internet Widgits Pty Ltd]:
   Organizational Unit Name (eg, section) []:
   Common Name (e.g. server FQDN or YOUR name) []:
   Email Address []:

   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:
   An optional company name []:
  輸入相關信息和密碼

9.用CA私鑰簽發(fā)數(shù)字證書:client.crt

openssl  x509 -req -in server.csr  -CA  ca.crt  -CAkey  ca.key  -CAcreateserial -out  client.crt  -days  3650

10.生成windows安裝證書程序

openssl pkcs12 -export -inkey client.key -in client.crt -out client.pfx

將client.pfx拷貝到作為客戶端的機器上，安裝證書，輸入生成時的密碼

11.配置nginx

 ssl_certificate  /etc/pki/ca_linvo/server/server.crt;     #server公鑰路徑
 ssl_certificate_key  /etc/pki/ca_linvo/server/server.key;   #server私鑰路徑
 ssl_client_certificate   /etc/pki/ca_linvo/root/ca.crt;   #根級證書公鑰路徑，用于驗證各個二級client
 ssl_verify_client on;   開啟雙向認證

認證成功

curl --cert ./client.crt --key ./client.key https://url -k -v

開啟gzip跟緩存

gzip  on;

    gzip_min_length     256;
    gzip_buffers        4 16k;
    gzip_http_version   1.1;
    gzip_vary on;
    gzip_comp_level 3;
    gzip_disable "MSIE [1-6]\.";
    gzip_proxied any;
#這里設置需要壓縮的格式
    gzip_types
	application/atom+xml
	application/javascript
	application/json
	application/ld+json
	application/manifest+json
	application/rss+xml
	application/vnd.geo+json
	application/vnd.ms-fontobject
	application/x-font-ttf
	application/x-web-app-manifest+json
	application/xhtml+xml
	application/xml
	font/opentype
	image/bmp
	image/svg+xml
	image/x-icon
	text/cache-manifest
	text/css
	text/plain
	text/vcard
	text/vnd.rim.location.xloc
	text/vtt
	text/x-component
	text/x-cross-domain-policy;
		location / {    
	   root   /root/www/web;
	   index  index.html;
	   autoindex on;
            if ($request_filename ~ .*.(js|css)$)
         {
         expires 7d;
         }
	}