制作CA根证书, vim gen_ca.sh,使用./gen_ca.sh 生产根证书
#!/bin/bash
echo "[req]
default_bits = 4096
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = CN
stateOrProvinceName = N/A
localityName = M/A
organizationName = Self-signed Cert
commonName = Self-signed Cert
[v3_req]
basicConstraints = CA:TRUE
" > gen_ca.cnf
openssl req -x509 -nodes -days 365 -newkey rsa:4096 -keyout CA.key -out CA.crt -config gen_ca.cnf
rm gen_ca.cnf
添加可执行权限
chmod +x gen_ca.sh
签发SAN为IP的证书(支持chrome)
vim gen_ip_cert.sh, 添加如下内容
#!/bin/bash
IP=$(echo $1)
echo "
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = $IP
" > cert.cnf
openssl genrsa -out key.pem 4096
openssl req -new -key key.pem -out csr.pem -subj "/C=CN/ST=MyST"
openssl x509 -req -in csr.pem -CA CA.crt -CAkey CA.key -CAcreateserial -out cert.pem -days 365 -sha256 -extfile cert.cnf
rm cert.cnf
添加可执行权限
chmod +x gen_ip_cert.sh
使用
使用命令./gen_ip_cert.sh 192.168.100.129生成证书和私钥,分别是cert.pem和key.pem将两个文件配置到nginx即可,参考下面配置。
