自签名 SSL 证书

发表于 分类于 阅读次数: 本文字数: 213 阅读时长 ≈ 1 分钟

#成为 CA!

1
2
3
4
5
# Generate private key
openssl genrsa -des3 -out myCA.key 2048
# Generate root certificate
openssl req -x509 -new -nodes -key myCA.key -sha256 -days 825 -out myCA.pem \
    -subj "/C=CN/ST=Shanghai/L=Shanghai/O=/OU=/CN=My first CA"

#信任 CA

Ubuntu:

1
2
sudo cp myCA.pem /usr/local/share/ca-certificates/myCA.crt
sudo update-ca-certificates

#颁发证书!

可以有多个域名/IP地址

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
# Use your own domain name
NAME=my.domain.com

# Generate a private key
openssl genrsa -out $NAME.key 2048

# Create a certificate-signing request
openssl req -new -key $NAME.key -out $NAME.csr \
    -subj "/C=CN/ST=Shanghai/L=Shanghai/O=/OU=/CN=$NAME"

# Create a config file for the extensions
cat >$NAME.ext <<-EOF
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names
[alt_names]
DNS.1 = $NAME # Be sure to include the domain name here because Common Name is not so commonly honoured by itself
DNS.2 = bar.$NAME # Optionally, add additional domains (I've added a subdomain here)
IP.1 = 1.2.3.4 # Optionally, add an IP address (if the connection which you have planned requires it)
EOF

# Create the signed certificate
openssl x509 -req -in $NAME.csr -CA myCA.pem -CAkey myCA.key -CAcreateserial \
    -out $NAME.crt -days 825 -sha256 -extfile $NAME.ext

cat $NAME.crt $NAME.key >$NAME.pem