# 生成根证书私钥和根证书
| openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/C=国家/ST=省/L=市/O=机构" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca |
| |
| |
| openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/C=CN/ST=EZ/L=EZ/O=EZ" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca |
# 生成自签名证书私钥
| openssl genrsa -out private.key 2048 |
# 根据自签名证书私钥生成自签名证书申请文件
| openssl req -new -key private.key -subj "/C=CN/ST=EZ/L=EZ/O=EZ/CN=192.168.2.117" -sha256 -out private.csr |
# 定义自签名证书扩展文件 (解决 chrome 安全告警),新建 private.ext 文件并写入以下内容(IP 为 nginx 服务器 ip,同 nginx.conf 中的 server_name)
| [ req ] |
| default_bits = 1024 |
| distinguished_name = req_distinguished_name |
| req_extensions = san |
| extensions = san |
| [ req_distinguished_name ] |
| countryName = CN |
| stateOrProvinceName = Definesys |
| localityName = Definesys |
| organizationName = Definesys |
| [SAN] |
| authorityKeyIdentifier=keyid,issuer |
| basicConstraints=CA:FALSE |
| keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment |
| subjectAltName = IP:192.168.2.117 |
# 生成自签名证书(有效期 100 年)
| openssl x509 -req -days 36500 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN |
# nginx 的 ssl 证书配置
| ssl_certificate_key /usr/local/nginx/ssl/private.key; |
| ssl_certificate /usr/local/nginx/ssl/private.crt; |
# 证书安装
需要安装 CA-certificate.crt 到受信任的根证书颁发机构下,即可从浏览器正常访问且不会报不安全警告。
| |
| openssl s_client -connect localhost:8080 |
| |
| openssl x509 -in private.crt -text -noout |
| openssl rsa -in private.key -check |
| |
| openssl x509 -in private.crt -noout -dates |
| |
| openssl x509 -in private.crt -noout -issuer -subject |
