- 自签可授证书第一版
bash
openssl req -x509 \
-newkey \
rsa:4096 \
-nodes \
-keyout server.key \
-out server.crt \
-sha256 \
-days 36500 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=PSBC/OU=CCCS/CN=CCCS CA" \
-extensions san \
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=DNS:test.com,DNS:devops.test.com,DNS:*.test.com')- 生成两个证书文件,然后引入nginx加载
diff
-rw-rw-r-- 1 devops devops 2.0K Jul 9 11:14 server.crt
-rw-rw-r-- 1 devops devops 3.2K Jul 9 11:15 server.key自签ip地址可授证书第二版
- 创建CA证书配置 CA.cnf 文件
ini
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true- 创建ssl证书 server.cnf 文件
ini
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM Server
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64- 创建ssl证书subjectAltName描述文件 SAN.ext
- 哪些ip需要使用https访问,就需要添加对应ip地址
ini
ubjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = *.zhao138969.com
IP.1 = 10.130.47.202
IP.2 = 192.168.200.18- 创建CA+SSL证书
- 上面配置文件已经填写相关信息,执行下面命令直接回车确认即可
csharp
# 生成CA证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256
#生成证书请求文件
openssl req -newkey rsa:4096 -keyout server.pvk -out server.req -config server.cnf -sha256 -nodes
#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in server.req -out server.cer -days 3650 -extfile SAN.ext -sha256 -set_serial 0x1212- 最终生成文件如下所示
vbscript
[devops@db1 ssl_new]$ ls
CA.cer CA.cnf CA.pvk SAN.ext server.cer server.cnf server.pvk server.req- 在nginx配置文件配置上证书文件路径
arduino
ssl_certificate /home/nginx/conf/crt/server.cer;
ssl_certificate_key /home/nginx/conf/crt/server.pvk;- 在到需要访问的pc机器上面导入
CA.cerCA证书,需要导入受信任的根证书颁发机构
- 然后使用https ip的方式进行访问,访问前最好清理下浏览器缓存。