https 自签名证书
创建rootCA证书
cd ~ && mkdir mycert
cd mycert
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
配置v3.ext
cat >v3.ext<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = test.com
DNS.2 = *.test.com
EOF
签名
openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout mydomain.key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.crt -days 36500 -sha256 -extfile v3.ext
nginx 配置文件
# cat https.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name test.com;
ssl_certificate /root/mycert/mydomain.crt;
ssl_certificate_key /root/mycert/mydomain.key;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}
启动 nginx 容器
docker run -it --rm -v /root/mycert:/root/mycert -v /root/mycert/https.conf:/etc/nginx/conf.d/https.conf -p 80:80 -p 443:443 --name nginx nginx:alpine
导入证书
- 将rootCA.pem文件更名为rootCA.crt
- 双击安装证书,导入证书到受信任根证书颁发机构
- 重启浏览器
一键生成脚本
#!/bin/bash
ca=stacs.cn
domain_name=xwjh.pro
openssl genrsa -out ${ca}.key 4096
openssl req -x509 -new -nodes -sha512 -days 36500 \
-subj "/C=CN/ST=SiChuan/L=Chengdu/O=${ca}/OU=ops/CN=${ca}" \
-key ${ca}.key \
-out ${ca}.crt
openssl genrsa -out ${domain_name}.key 4096
openssl req -sha512 -new \
-subj "/C=CN/ST=Beijing/L=Beijing/O=${domain_name}/OU=ops/CN=${domain_name}" \
-key ${domain_name}.key \
-out ${domain_name}.csr
cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1=${domain_name}
DNS.2=*.${domain_name}
EOF
openssl x509 -req -sha512 -days 3650 \
-extfile v3.ext \
-CA ${ca}.crt -CAkey ${ca}.key -CAcreateserial \
-in ${domain_name}.csr \
-out ${domain_name}.crt