# 生成根证书私钥和根证书
1
2
3
4
| openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/C=国家/ST=省/L=市/O=机构" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca
openssl req -x509 -nodes -days 36500 -newkey rsa:2048 -subj "/C=CN/ST=EZ/L=EZ/O=EZ" -keyout CA-private.key -out CA-certificate.crt -reqexts v3_req -extensions v3_ca
|
# 生成自签名证书私钥
1
| openssl genrsa -out private.key 2048
|
# 根据自签名证书私钥生成自签名证书申请文件
1
| openssl req -new -key private.key -subj "/C=CN/ST=EZ/L=EZ/O=EZ/CN=192.168.2.117" -sha256 -out private.csr
|
# 定义自签名证书扩展文件 (解决 chrome 安全告警),新建 private.ext 文件并写入以下内容(IP 为 nginx 服务器 ip,同 nginx.conf 中的 server_name)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
| [ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Definesys
localityName = Definesys
organizationName = Definesys
[SAN]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = IP:192.168.2.117
|
# 生成自签名证书(有效期 100 年)
1
| openssl x509 -req -days 36500 -in private.csr -CA CA-certificate.crt -CAkey CA-private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions SAN
|
# nginx 的 ssl 证书配置
1
2
| ssl_certificate_key /usr/local/nginx/ssl/private.key;
ssl_certificate /usr/local/nginx/ssl/private.crt;
|
# 证书安装
需要安装 CA-certificate.crt 到受信任的根证书颁发机构下,即可从浏览器正常访问且不会报不安全警告。
1
2
3
4
5
6
7
8
9
|
openssl s_client -connect localhost:8080
openssl x509 -in private.crt -text -noout
openssl rsa -in private.key -check
openssl x509 -in private.crt -noout -dates
openssl x509 -in private.crt -noout -issuer -subject
|
