bash
复制代码
openssl req -x509 \
-newkey \
rsa:4096 \
-nodes \
-keyout server.key \
-out server.crt \
-sha256 \
-days 36500 \
-subj "/C=CN/ST=Beijing/L=Beijing/O=PSBC/OU=CCCS/CN=CCCS CA" \
-extensions san \
-config <(echo '[req]'; echo 'distinguished_name=req';
echo '[san]'; echo 'subjectAltName=DNS:test.com,DNS:devops.test.com,DNS:*.test.com')
diff
复制代码
-rw-rw-r-- 1 devops devops 2.0K Jul 9 11:14 server.crt
-rw-rw-r-- 1 devops devops 3.2K Jul 9 11:15 server.key
自签ip地址可授证书第二版
ini
复制代码
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
[ root_ca ]
basicConstraints = critical, CA:true
ini
复制代码
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM Server
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
- 创建ssl证书subjectAltName描述文件 SAN.ext
- 哪些ip需要使用https访问,就需要添加对应ip地址
ini
复制代码
ubjectAltName = @alt_names
extendedKeyUsage = serverAuth
[alt_names]
DNS.1 = *.zhao138969.com
IP.1 = 10.130.47.202
IP.2 = 192.168.200.18
- 创建CA+SSL证书
- 上面配置文件已经填写相关信息,执行下面命令直接回车确认即可
csharp
复制代码
# 生成CA证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256
#生成证书请求文件
openssl req -newkey rsa:4096 -keyout server.pvk -out server.req -config server.cnf -sha256 -nodes
#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in server.req -out server.cer -days 3650 -extfile SAN.ext -sha256 -set_serial 0x1212
vbscript
复制代码
[devops@db1 ssl_new]$ ls
CA.cer CA.cnf CA.pvk SAN.ext server.cer server.cnf server.pvk server.req
arduino
复制代码
ssl_certificate /home/nginx/conf/crt/server.cer;
ssl_certificate_key /home/nginx/conf/crt/server.pvk;
- 在到需要访问的pc机器上面导入
CA.cer CA证书,需要导入受信任的根证书颁发机构
- 然后使用https ip的方式进行访问,访问前最好清理下浏览器缓存。