如何让openssl生成的SSL证书被浏览器认可（转）

参考文章：

解决https网站通过nginx+openssl自签名证书访问，在谷歌浏览器报不安全告警的问题

如何让openssl生成的SSL证书被浏览器认可

Windows 下使用 OpenSSL 命令行创建包含 subjectAltName 扩展项的数字证书

深入浅出 SSL/CA 证书及其相关证书文件（pem、crt、cer、key、csr）

1. 生成根证书

root_ca_gen.sh

#!/bin/bash

# 有效期
exper_time=3650
# 根证书私钥
ca_private="CA-private.key"
# 根证书
ca_certificate="CA-certificate.crt"
# 组织信息
ca_subinfo="/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization"
# 长度
ca_length=2048
# 自签名证书私钥
ssl_private="private.key"

if [ -f $ca_private ] || [ -f $ca_certificate ]; then
    echo 'ca is alread exsist'
    exit 0
fi

# 1. 使用指定-subj "/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization", 生成根证书私钥和根证书
# C=CN 中国
# ST=MyProvince 省份
# L=MyCity 城市
# O=MyOrganization 组织
# -keyout 根证书私钥
# -out 根证书
openssl req -x509 -nodes -days $exper_time -newkey rsa:$ca_length -subj $ca_subinfo -keyout $ca_private -out $ca_certificate -reqexts v3_req -extensions v3_ca

# 2. 生成自签名证书私钥 -out private.key
openssl genrsa -out $ssl_private $ca_length

2. 生成自签名ssl证书

child_ca_gen.sh

#!/bin/bash

host_ip=$1

if [ -z "$1" ]; then
    echo "usage: child_ca_gen.sh hostip"
    exit
fi

# 有效期
exper_time=3650
# 根证书私钥
ca_private="../CA-private.key"
# 根证书
ca_certificate="../CA-certificate.crt"
# 组织信息
ca_subinfo="/C=CN/ST=MyProvince/L=MyCity/O=MyOrganization"
# 长度
ca_length=2048
# 自签名证书私钥
ssl_private="../private.key"
# 自签名证书申请文件
ssl_csr="private.csr"
# 扩展参数
ssl_ext="private.ext"
# 自签名证书
ssl_crt="private.crt"

if [ ! -d $host_ip ]; then
    mkdir $host_ip
fi

cd $host_ip

# 1. 根据自签名证书私钥生成自签名证书申请文件 -out private.csr
openssl req -new -key $ssl_private -subj "${ca_subinfo}/CN=${host_ip}" -sha256 -out $ssl_csr

# 2. 定义自签名证书扩展文件(解决chrome安全告警)。在默认情况下生成的证书一旦选择信任，在 Edge, Firefox 等浏览器都显示为安全，但是Chrome仍然会标记为不安全并警告拦截，
# 这是因为 Chrome 需要证书支持扩展 Subject Alternative Name, 因此生成时需要特别指定 SAN 扩展并添加相关参数,将下述内容放到一个文件中,命名为private.ext
if [ -f $ssl_ext ]; then
    rm -rf $ssl_ext
fi

echo "[ req ]" >> $ssl_ext
echo "default_bits        = 1024" >> $ssl_ext
echo "distinguished_name  = req_distinguished_name" >> $ssl_ext
echo "req_extensions      = san" >> $ssl_ext
echo "extensions          = san" >> $ssl_ext
echo "[ req_distinguished_name ]" >> $ssl_ext
echo "countryName         = CN"
echo "stateOrProvinceName = Definesys" >> $ssl_ext
echo "localityName        = Definesys" >> $ssl_ext
echo "organizationName    = Definesys" >> $ssl_ext
echo "[SAN]" >> $ssl_ext
echo "authorityKeyIdentifier=keyid,issuer" >> $ssl_ext
echo "basicConstraints=CA:FALSE" >> $ssl_ext
echo "keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment" >> $ssl_ext
echo "subjectAltName = IP:${host_ip}" >> $ssl_ext

# 3. 根据根证书私钥及根证书-CA CA-certificate.crt -CAkey CA-private.key、自签名证书申请文件 -in private.csr、自签名证书扩展文件 -extfile private.ext,生成自签名证书 -out private.crt
openssl x509 -req -days $exper_time -in $ssl_csr -CA $ca_certificate -CAkey $ca_private -CAcreateserial -sha256 -out $ssl_crt -extfile $ssl_ext -extensions SAN

cp $ssl_private ./
cd -

3. 用法

./root_ca_gen.sh
./child_ca_gen.sh 192.168.0.104

4. Windows添加可信

install_ca.bat

pushd %~dp0
set pwd=%cd%
certutil -addstore root %pwd%\CA-certificate.crt
pause