环境介绍
cenos 7
openssl
编写脚本
vim ca.sh
#!/bin/bash
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=CN/ST=BJ/L=BJ/O=SADC/OU=IT/CN=CSU" -keyout CA_private.key -out CA_certificate.crt -reqexts v3_req -extensions v3_ca
openssl genrsa -out private.key 2048
openssl req -new -key private.key -subj "/C=CN/ST=BJ/L=BJ/O=SADC/OU=IT/CN=*.my.web.com" -sha256 -out private.csr
cat <<EOF > private.ext
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
contryName = CN
stateOrProvinceName = bj
localityName = bj
organizationName = bj
[ san ]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
subjectKeyIdentifier = hash
[ alt_names ]
DNS.1 = *.web.com
DNS.2 = *.my.web.com
EOF
openssl x509 -req -days 3650 -in private.csr -CA CA_certificate.crt -CAkey CA_private.key -CAcreateserial -sha256 -out private.crt -extfile private.ext -extensions san
注意
修改上面的域名为自己的域名。
使用方式:
chmod +x ca.sh && sh ca.sh
查看生成结果:
nginx 配置
ssl on;
ssl_certificate /usr/local/ssl/private.crt;
ssl_certificate_key /usr/local/ssl/private.key;
ssl_session_cache shared:SSL:10m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNUKK:!MD5;
ssl_prefer_server_ciphers on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
下载并安装证书
下载 CA_certificate.crt
证书并安装到电脑中。
再次访问自己的域名网站不安全
提醒消失。