生成ip可授信证书文件

• 自签可授证书第一版

openssl req -x509 \
        -newkey \
        rsa:4096 \
        -nodes \
        -keyout server.key \
        -out server.crt \
        -sha256 \
        -days 36500 \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=PSBC/OU=CCCS/CN=CCCS CA" \
        -extensions san \
        -config <(echo '[req]'; echo 'distinguished_name=req';
        echo '[san]'; echo 'subjectAltName=DNS:test.com,DNS:devops.test.com,DNS:*.test.com')

• 生成两个证书文件,然后引入nginx加载

-rw-rw-r-- 1 devops devops 2.0K Jul  9 11:14 server.crt
-rw-rw-r-- 1 devops devops 3.2K Jul  9 11:15 server.key

自签ip地址可授证书第二版

• 创建CA证书配置 CA.cnf 文件

[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
 
[ root_ca ]
basicConstraints = critical, CA:true

• 创建ssl证书 server.cnf 文件

distinguished_name = req_distinguished_name
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM Server
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64

• 创建ssl证书subjectAltName描述文件 SAN.ext
  • 哪些ip需要使用https访问，就需要添加对应ip地址

ubjectAltName = @alt_names
extendedKeyUsage = serverAuth
 
[alt_names]
DNS.1 = *.zhao138969.com
IP.1 = 10.130.47.202
IP.2 = 192.168.200.18

• 创建CA+SSL证书
  • 上面配置文件已经填写相关信息，执行下面命令直接回车确认即可

# 生成CA证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256
 
#生成证书请求文件
openssl req -newkey rsa:4096 -keyout server.pvk -out server.req -config server.cnf -sha256 -nodes
 
#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in server.req -out server.cer -days 3650 -extfile SAN.ext -sha256 -set_serial 0x1212

• 最终生成文件如下所示

[devops@db1 ssl_new]$ ls
CA.cer  CA.cnf  CA.pvk  SAN.ext  server.cer  server.cnf  server.pvk  server.req

• 在nginx配置文件配置上证书文件路径

    ssl_certificate /home/nginx/conf/crt/server.cer;
    ssl_certificate_key /home/nginx/conf/crt/server.pvk;

• 在到需要访问的pc机器上面导入CA.cer CA证书,需要导入受信任的根证书颁发机构

• 然后使用https ip的方式进行访问，访问前最好清理下浏览器缓存。