自建CA + https
- 创建rootSSL证书
- 用rootSSL签署需要的域名证书
文件后缀名
| 格式 | 说明 |
|---|---|
.crt .cer | 证书 certificate |
.key | 密钥/私钥 private key |
.csr | 证书认证签名请求 certificate signing request |
.pem | base64编码文本存储格式,可以单独放证书或者密钥,也可以同时放两个 |
一、 创建rootSSL
后续的证书都将用root自建机构去认证
openssl genrsa -out rootSSL.key 2048openssl req -x509 -new -nodes -key rootSSL.key -sha256 -days 1024 -out rootSSL.pem
二、把rootssl机构导入系统中,下面以window为例
-
win + r执行MMC -
File -> Add/Remove Snap-in...
-
Certificates and Add
-
Computer Accoutn and Next
- Local Computer and Finish
-
Ok to go back the MMC window
-
Trusted Root Certfication Authorities and right-click to import
-
select rootSSL.pem then Next
- 证书里面能看见rootSSL对应的origin
三、给域名创建证书
- create private key for local.com
openssl req -new -nodes -out local.com.csr -newkey rsa:2048 -keyout local.com.key - create local.com.txt file, full in the following:
authorityKeyIdentifier=keyid,issuer basicConstraints=CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment subjectAltName = @alt_names [alt_names] DNS.1 = dev.local.com DNS.2 = *.local.com - create and sign cert local.com
openssl x509 -req -in local.com.csr -CA rootSSL.pem -CAkey rootSSL.key -CAcreateserial -out local.com.crt -days 1024 -sha256 -extfile local.com.ext - 创建pfx准备IIS证书,需要输入密码
winpty openssl pkcs12 -inkey local.com.key -in local.com.crt -export -out local.com.pfx - 类似上面步骤,将local.com.pfx导入到MMC
四、nginx添加ssl证书
listen 443 ssl;
server_name dev.local.com;
ssl_certificate local.com.crt;
ssl_certificate_key local.com.key;
五、host添加域名
127.0.0.1 dev.local.com
