一、生成证书
1、创建根证书
新建MyCompanyCA.cnf文件并输入以下内容:
[ req ] distinguished_name = req_distinguished_name x509_extensions = root_ca [ req_distinguished_name ] # 以下内容可随意填写 countryName = CN (2 letter code) countryName_min = 2 countryName_max = 2 stateOrProvinceName = ZheJiang localityName = HangZhou organizationName = Mycompany organizationalUnitName = technology commonName = develop commonName_max = 64 emailAddress = xxxxxxxx@gmail.com emailAddress_max = 64 [ root_ca ] basicConstraints = critical, CA:true
新建MyCompanyLocalhost.ext文件并输入以下内容:
subjectAltName = @alt_names extendedKeyUsage = serverAuth [alt_names] # 域名,如有多个用DNS.2,DNS.3…来增加 DNS.1 = domain.com # IP地址 IP.1 = 127.0.0.1
说明:
MyCompanyCA.cnf文件是为申请CA根证书的配置文件;
MyCompanyLocalhost.ext是生成服务器证书的扩展配置文件;
2、生成证书
执行以下3条命令:
openssl req -x509 -newkey rsa:2048 -out MyCompanyCA.cer -outform PEM -keyout MyCompanyCA.pvk -days 10000 -verbose -config MyCompanyCA.cnf -nodes -sha256 -subj "/CN=MyCompany CA"
openssl req -newkey rsa:2048 -keyout MyCompanyLocalhost.pvk -out MyCompanyLocalhost.req -subj /CN=localhost -sha256 -nodes
openssl x509 -req -CA MyCompanyCA.cer -CAkey MyCompanyCA.pvk -in MyCompanyLocalhost.req -out MyCompanyLocalhost.cer -days 10000 -extfile MyCompanyLocalhost.ext -sha256 -set_serial 0x1111
执行完成后,会得到,其中MyCompanyCA.cer是用来安装在浏览器、安卓和苹果设备上,MyCompanyLocalhost.cer和MyCompanyLocalhost.pvk是放在服务端的证书和key文件,在Nginx中配置即可.
-rw-r--r-- 1 hugh staff 1.0K 3 5 15:20 MyCompanyCA.cer
-rw-r--r-- 1 hugh staff 592B 3 5 16:03 MyCompanyCA.cnf
-rw-r--r-- 1 hugh staff 1.6K 3 5 15:20 MyCompanyCA.pvk
-rw-r--r-- 1 hugh staff 1.0K 3 5 15:20 MyCompanyLocalhost.cer
-rw-r--r-- 1 hugh staff 116B 3 5 15:20 MyCompanyLocalhost.ext
-rw-r--r-- 1 hugh staff 1.6K 3 5 15:20 MyCompanyLocalhost.pvk
-rw-r--r-- 1 hugh staff 891B 3 5 15:20 MyCompanyLocalhost.req
二、在设备上安装证书
以mac为例,直接双击MyCompanyCA.cer文件或者在钥匙串中导入证书,证书导入后,默认状态如下:
打开“信任”并选择“永远相信”
打开要访问的地址已经变为绿色”安全”
声明:本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
评论(0)