生成一个带 IP 的自签证书、制作Http证书

准备目录

mkdir -p /home/wanmagroup/rte/nginx/createSSL
cd /home/wanmagroup/rte/nginx/createSSL

生成 OpenSSL 配置文件

创建文件touch openssl-ip.cnf：

vi openssl-ip.cnf

内容:

[ req ]
default_bits       = 2048
prompt             = no
default_md         = sha256
distinguished_name = dn
req_extensions     = req_ext

[ dn ]
C  = CN
ST = Internal
L  = Internal
O  = WanmaGroup
OU = IT
CN = 10.9.4.65

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
IP.1 = 10.9.4.65

生成私钥

openssl genrsa -out server.key 2048

生成 CSR

openssl req -new \
  -key server.key \
  -out server.csr \
  -config openssl-ip.cnf

生成自签名证书

openssl x509 -req \
  -in server.csr \
  -signkey server.key \
  -out server.crt \
  -days 825 \
  -extensions req_ext \
  -extfile openssl-ip.cnf

验证证书是否真的包含 IP

openssl x509 -in server.crt -noout -text | grep -A2 "Subject Alternative Name"

Nginx 使用该证书

ssl_certificate     /home/wanmagroup/rte/nginx/createSSL/server.crt;
ssl_certificate_key /home/wanmagroup/rte/nginx/createSSL/server.key;