使用 openssl 生成自签证
11 December 2024
使用 openssl 生成自签证书(self-signed trusted certificate) 配置 nginx ssl/tls 支持
CA证书生成
为CA证书生成CA证书密钥
openssl genrsa -out ca.key 2048
CA证书请求配置,创建并编辑配置文件:vim csr.conf ,添加以下内容:
[req]
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[dn]
C = CN
ST = SH
L = ShangHai
O = IT
OU = IT
CN = Wodedata
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = wodedata.com
DNS.2 = *.wodedata.com
DNS.3 = markdev.work
DNS.4 = *.markdev.work
DNS.5 = test.com
DNS.6 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
发出 CA 证书请求,生成CSR文件, CSR是Certificate Signing Request的英文缩写,即证书签名请求文件
openssl req -new -sha256 -key ca.key -config csr.conf -out ca.csr
生成CA根证书, CA是Certificate Authority,证书颁发机构,CA根证书(Certificate Authority Root Certificate)
openssl x509 -req -sha256 -days 9125 -in ca.csr -signkey ca.key -out ca.crt
server 证书生成
生成 server 证书密钥
openssl genrsa -out server.key 2048
复用csr.conf, 生成 server 证书请求文件
openssl req -new -sha256 -key server.key -config csr.conf -out server.csr
server证书请求配置,创建并编辑配置文件:vim server.ext,添加以下内容:
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = wodedata.com
DNS.2 = *.wodedata.com
DNS.3 = markdev.work
DNS.4 = *.markdev.work
DNS.5 = test.com
DNS.6 = localhost
IP.1 = 127.0.0.1
IP.2 = ::1
生成server证书
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -days 9125 -sha256 -extfile server.ext -out server.crt
将 server.crt 与 server.key 的内容都添加到 server.pem
cat server.crt server.key > server.pem
在 nginx 配置 ssl 证书
server {
listen 443 ssl;
listen [::]:443 ssl;
http2 on;
server_name $http_host;
# ssl
ssl_certificate /etc/nginx/ssl/self.sign.cert/server.crt;
ssl_certificate_key /etc/nginx/ssl/self.sign.cert/server.key;
......
参考:
How to generate and add a self-signed trusted certificate
mkcert: A simple zero-config tool to make locally trusted development certificates
linux-network Socat 教程 - TLS 配置 使用OpenSSL生成/签发证书步骤