生成基于 IP 地址的 https 证书
# 1、手动生成
# 1.1. 生成私钥
openssl genrsa -out ca.key 2048
1
# 1.2. 通过私钥创建公钥
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
1
# 1.3. 创建 openssl.cnf 配置文件,只修改 alt_names 即可
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = NYC
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = xxx
commonName = xxx
commonName_max = 64
[ v3_req ]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = 192.168.1.14
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# 1.4. v3.ext 文件,只需要 alt_names 与上面的一致即可
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = 192.168.1.14
1
2
3
4
5
6
2
3
4
5
6
# 1.5. 服务器证书私钥
openssl genrsa -out server.key 2048
1
# 1.6. 服务器证书公钥
openssl req -new -days 3650 -key server.key -out server.csr -config openssl.cnf
1
# 1.7. 用自己的 CA 给自己的服务器公钥签名
openssl x509 -days 3650 -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
1
# 2、脚本生成
参考如下项目:ip_https_cert (opens new window)
# 参考脚本
上面手动生成的步骤已经提取到脚本中了如下:
#! /bin/bash
echo "请输入服务器IP地址"
read ip
echo "请输入证书年限"
read year
year=$(expr $year + 0)
days=$(expr $year \* 365)
# echo $days
# 生成私钥
openssl genrsa -out ca.key 2048
# 生成公钥 your.com 只是证书颁发人随便自定义
openssl req -new -x509 -days $days -key ca.key -out ca.crt -subj "//C=CN/C=CN/ST=BJ/L=SJS/O=GuFei/OU=dev/CN=your.com"
# 创建 openssl.cnf 配置文件
cat << EOF > openssl.cnf
[req]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = US
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = NY
localityName = Locality Name (eg, city)
localityName_default = NYC
organizationalName = Organizational Name (eg, section)
organizationalName_default = gufei
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = dev
commonName = Common Name (eg, your name or your server's hostname)
commonName_max = 64
[v3_req]
# Extensions to add to a certificate request
basicConstraints = CA:TRUE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[alt_names]
IP.1 = $ip
EOF
# 创建v3.ext文件
cat << EOF > v3.ext
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage=digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName=@alt_names
[alt_names]
IP.1 = $ip
EOF
# 服务器证书私钥
openssl genrsa -out server.key 2048
# 服务器证书公钥 your.com 只是证书颁发人随便自定义
openssl req -new -days $days -key server.key -out server.csr -config openssl.cnf -subj //C=CN/C=CN/ST=BJ/L=SJS/O=GuFei/OU=dev/CN=your.com
# 用自己的 CA 给自己的服务器公钥签名
openssl x509 -days $days -req -sha256 -extfile v3.ext -CA ca.crt -CAkey ca.key -CAcreateserial -in server.csr -out server.crt
# 删除无需的文件
rm {ca.key,ca.srl,server.csr,openssl.cnf,v3.ext}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
生成证书文件如下:
# nginx配置
server {
listen 443 ssl;
server_name 192.168.10.1;
ssl_certificate cert/server.crt; # 证书文件路径
ssl_certificate_key cert/server.key; # 私钥文件路径
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 10m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
add_header Access-Control-Allow-Origin *;
location /xxx/ {
proxy_pass http://127.0.0.1:8081/xxx/;
}
}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# 安装ca证书
双击生成的 ca.crt 证书 进行安装
