Loading

https 自签名证书

创建rootCA证书

cd ~ && mkdir mycert
cd mycert
openssl genrsa -des3 -out rootCA.key 2048
openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

配置v3.ext

cat >v3.ext<<EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names

[alt_names]
DNS.1 = test.com
DNS.2 = *.test.com
EOF

签名

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout mydomain.key
openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out mydomain.crt -days 36500 -sha256 -extfile v3.ext

nginx 配置文件

# cat https.conf
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name  test.com;

    ssl_certificate /root/mycert/mydomain.crt;
    ssl_certificate_key /root/mycert/mydomain.key;

    location / {
        root   /usr/share/nginx/html;
        index  index.html index.htm;
    }

    error_page   500 502 503 504  /50x.html;
    location = /50x.html {
        root   /usr/share/nginx/html;
    }

}

启动 nginx 容器

docker run -it --rm -v /root/mycert:/root/mycert -v /root/mycert/https.conf:/etc/nginx/conf.d/https.conf -p 80:80 -p 443:443 --name nginx nginx:alpine

导入证书

  1. 将rootCA.pem文件更名为rootCA.crt
  2. 双击安装证书,导入证书到受信任根证书颁发机构
  3. 重启浏览器

一键生成脚本

#!/bin/bash

ca=stacs.cn
domain_name=xwjh.pro

openssl genrsa -out ${ca}.key 4096
openssl req -x509 -new -nodes -sha512 -days 36500 \
 -subj "/C=CN/ST=SiChuan/L=Chengdu/O=${ca}/OU=ops/CN=${ca}" \
 -key ${ca}.key \
 -out ${ca}.crt

openssl genrsa -out ${domain_name}.key 4096
openssl req -sha512 -new \
    -subj "/C=CN/ST=Beijing/L=Beijing/O=${domain_name}/OU=ops/CN=${domain_name}" \
    -key ${domain_name}.key \
    -out ${domain_name}.csr

cat > v3.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names

[alt_names]
DNS.1=${domain_name}
DNS.2=*.${domain_name}
EOF

openssl x509 -req -sha512 -days 3650 \
    -extfile v3.ext \
    -CA ${ca}.crt -CAkey ${ca}.key -CAcreateserial \
    -in ${domain_name}.csr \
    -out ${domain_name}.crt
posted @ 2023-02-22 10:37  小维江湖  阅读(62)  评论(0编辑  收藏  举报