自签证书（IP/域名）

生成根证书

自签证书只能本地使用，需要在计算机设置中将生成的根证书设置信任（Firefox 浏览器需要额外在浏览器导入证书文件设置信任）。
使用如下的脚本 touch gen_rootCA.sh 生成 rootCA.crt，rootCA.key，将 rootCA.crt 下载到本机，配置为永久信任。

#!/bin/sh

echo "[req]
default_bits  = 2048
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no

[req_distinguished_name]
countryName = CN
stateOrProvinceName = Sichuan
localityName = Chengdu
organizationName = Self-signed cert
commonName = Bobcat

[v3_req]
basicConstraints = CA:TRUE
" > root.cnf

openssl req -x509 -nodes -days 28518 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -config root.cnf

rm root.cnf

#!/bin/sh

echo "[req]

default_bits = 2048

distinguished_name = req_distinguished_name

x509_extensions = v3_req

prompt = no

[req_distinguished_name]

countryName = CN

stateOrProvinceName = Sichuan

localityName = Chengdu

organizationName = Self-signed cert

commonName = Bobcat

[v3_req]

basicConstraints = CA:TRUE

" > root.cnf

openssl req -x509 -nodes -days 28518 -newkey rsa:2048 -keyout rootCA.key -out rootCA.crt -config root.cnf

rm root.cnf

生成 IP 证书

使用下面的脚本 touch gen_ipcert.sh，在ip文件夹中的 cert.pem，key.pem 就是生成的 IP 证书

#!/bin/sh

IP=*.*.*.*

echo "
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
IP.1 = $IP
" > ipcert.cnf

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem -subj "/C=CN/ST=Sichuan/L=Chengdu/O=Bobcat/CN=$IP"
openssl x509 -req -in csr.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out cert.pem -days 300 -sha256 -extfile ipcert.cnf

rm ipcert.cnf
rm csr.pem
rm rootCA.srl
mkdir $IP;
mv key.pem $IP/
mv cert.pem $IP/

#!/bin/sh

IP=*.*.*.*

echo "

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

IP.1 = $IP

" > ipcert.cnf

openssl genrsa -out key.pem 2048

openssl req -new -key key.pem -out csr.pem -subj "/C=CN/ST=Sichuan/L=Chengdu/O=Bobcat/CN=$IP"

openssl x509 -req -in csr.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out cert.pem -days 300 -sha256 -extfile ipcert.cnf

rm ipcert.cnf

rm csr.pem

rm rootCA.srl

mkdir $IP;

mv key.pem $IP/

mv cert.pem $IP/

-subj参数 /type0=value0/type1=value1/type2=… 形式

生成域名证书

使用下面的脚本 touch gen_domain.sh，在domain 文件夹中的 cert.pem，key.pem 就是生成的域名证书

#!/bin/sh

DOMAIN=wq.shop

echo "
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = *.$DOMAIN
" > $DOMAIN.cnf

openssl genrsa -out key.pem 2048
openssl req -new -key key.pem -out csr.pem -subj "/C=CN/ST=Sichuan/L=Chengdu/O=Bobcat/CN=$DOMAIN"
openssl x509 -req -in csr.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out cert.pem -days 300 -sha256 -extfile $DOMAIN.cnf

rm $DOMAIN.cnf
rm csr.pem
rm rootCA.srl
mkdir $DOMAIN
mv key.pem $DOMAIN/
mv cert.pem $DOMAIN/
mv $DOMAIN/ ..

#!/bin/sh

DOMAIN=wq.shop

echo "

authorityKeyIdentifier=keyid,issuer

basicConstraints=CA:FALSE

keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment

subjectAltName = @alt_names

[alt_names]

DNS.1 = *.$DOMAIN

" > $DOMAIN.cnf

openssl genrsa -out key.pem 2048

openssl req -new -key key.pem -out csr.pem -subj "/C=CN/ST=Sichuan/L=Chengdu/O=Bobcat/CN=$DOMAIN"

openssl x509 -req -in csr.pem -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out cert.pem -days 300 -sha256 -extfile $DOMAIN.cnf

rm $DOMAIN.cnf

rm csr.pem

rm rootCA.srl

mkdir $DOMAIN

mv key.pem $DOMAIN/

mv cert.pem $DOMAIN/

mv $DOMAIN/ ..

本着互联网开源、开放的精神和宗旨，本站所有内容可以随便传播。如需转载或分享无需说明来源。

有任何疑问或烦恼，欢迎评论区讨论。

998

NginxSSL

搜索

分类

色彩模式

自签证书（IP/域名）

相关推荐

快捷导航

暂无回复数据

发表回复取消回复

相关推荐

PHP 环境 Nginx 配置 PHP-FPM

使用acme.sh自动化部署 SSL 证书，配置HTTPS

Nginx配置访问密码

快捷导航

暂无回复数据

发表回复 取消回复

发表回复取消回复