ssl 自签证书## **生成CA证书** > 创建证书目录 ```sh mkdir ca server ``` > 创

生成CA证书

创建证书目录

mkdir ca server

创建私钥

openssl genrsa -out ca/ca-key.pem 1024

创建证书请求

openssl req -new -out ca/ca-req.csr -key ca/ca-key.pem
Country Name (2 letter code) []:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) []:ChengDu
Organization Name (eg, company) []:peakchao
Organizational Unit Name (eg, section) []:IT
Common Name (eg, fully qualified host name) []:rio.scdsjzx.cn
Email Address []:admin@peakchao.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:chaochao

自签署证书，有效期10年

openssl x509 -req -in ca/ca-req.csr -out ca/ca-cert.pem -signkey ca/ca-key.pem -days 3650

生成Server证书

创建私钥

openssl genrsa -out server/server-key.pem 1024

创建证书请求

openssl req -new -out server/server-req.csr -key server/server-key.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) []:CN
State or Province Name (full name) []:SiChuan
Locality Name (eg, city) []:ChengDu
Organization Name (eg, company) []:peakchao
Organizational Unit Name (eg, section) []:IT
Common Name (eg, fully qualified host name) []:rio.scdsjzx.cn
Email Address []:admin@peakchao.com
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:chaochao

用自己的CA证书，签署Server证书

openssl x509 -req -in server/server-req.csr -out server/server-cert.pem -signkey server/server-key.pem -CA ca/ca-cert.pem -CAkey ca/ca-key.pem -CAcreateserial -days 3650

创建Server证书之后，与Ca证书合成完整的证书链

cat server/server-cert.pem ca/ca-cert.pem > server/full.pem

最终目录结构

peakchao@Mac-Pro ssl % tree             
.
├── ca
│   ├── ca-cert.pem
│   ├── ca-cert.srl
│   ├── ca-key.pem
│   └── ca-req.csr
└── server
    ├── full.pem
    ├── server-cert.pem
    ├── server-key.pem
    └── server-req.csr

2 directories, 8 files

配置到nginx

server {  
    listen 80;  
    listen 443 ssl;  
    server_name 域名; #这里的域名要和Server证书域名对应  
    index index.html index.htm index.php;  
    root 站点根目录;
    ssl_certificate server/full.pem;
    ssl_certificate_key server/server-key.pem;

    location / {
            default_type application/json;
            return 200 '{"errcode":0,"errmsg":"SUCCESS","data":[]}';
    }
}

其他


#生成CA key文件
openssl genrsa -out ca.key 2048

#使用配置文件生成自签名CA证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 365 \
    -subj "/C=CN/ST=SiChuan/L=ChengDu/O=peakchao/OU=IT/CN=*.scdsjzx.cn" \
    -config ./openssl.cnf -extensions v3_req \
    -out ca.pem
#使用这个命令可以查看生成的CA证书是否支持多域名
openssl x509 -text -in ca.pem -noout


#生成服务器端证书 - 使用配置文件方式生成
#生成Server端 Key文件
openssl genrsa -out server.key 2048
#生成签名请求
openssl req -new -key ./server.key \
    -subj "/C=CN/ST=SiChuan/L=ChengDu/O=peakchao/OU=IT/CN=*.scdsjzx.cn" \
    -config ./openssl.cnf -extensions v3_req \
    -out server.csr
#使用CA证书签名Server端证书
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
    -extfile ./openssl.cnf -extensions v3_req \
    -days 365 -sha256 -out server.pem
    
    
#生成Client端 Key文件
openssl genrsa -out client.key 2048
#生成签名请求
openssl req -new -key ./server.key \
    -subj "/C=CN/ST=SiChuan/L=ChengDu/O=peakchao/OU=IT/CN=*.scdsjzx.cn" \
    -config ./openssl.cnf -extensions v3_req \
    -out client.csr
#使用CA证书签名Client端证书
openssl x509 -req -in ./client.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
   -extfile ./openssl.cnf -extensions v3_req \
    -days 365 -sha256 -out client.pem
openssl x509 -subject_hash_old -in ca.pem
cp ca.pem efbea7f8.0

配置文件openssl.cnf

[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = MN
localityName = Locality Name (eg, city)
localityName_default = Minneapolis
organizationalUnitName  = Organizational Unit Name (eg, section)
organizationalUnitName_default  = Domain Control Validated
commonName = Internet Widgits Ltd
commonName_max  = 64

[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req

[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names

#新增alt_names节点并配置需要的域名和IP
[alt_names]
DNS.1 = scdsjzx.cn
DNS.2 = rio.scdsjzx.cn
DNS.2 = *.scdsjzx.cn
#IP.1 = 127.0.0.1
#IP.2 = 2.0.12.10