1.生成私钥
bash
# 这里自己根据域名调整
openssl genrsa -out example.com.key 20482.创建证书签名请求 (CSR)
bash
# 根据域名跳转
openssl req -new -key example.com.key -out example.com.csr3.填写信息
Country Name (C): CN
State or Province Name (ST): Zhejiang
Locality Name (L): Hangzhou
Organization Name (O): example
Organizational Unit Name (OU): Dev
Common Name (CN): *.example.com
4.生成配置文件添加 SAN(非常关键)
创建一个文件:example.com.ext
bash
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com5.生成自签名证书
bash
openssl x509 -req -in example.com.csr -signkey example.com.key -out example.com.crt -days 3650 -extfile example.com.ext有效期10年(3650天)
🔹 得到两个文件:
-
example.com.crt(证书) -
example.com.key(私钥)