#准备环境
OS:CentOS Linux release 7.6.1810 (Core)
OpenSSL:OpenSSL 1.0.2k-fips
Nginx:nginx/1.16.1
#证书创建
# 创建工作目录
mkdir -p /opt/tls && cd /opt/tls
#生成ca私钥
openssl genrsa -out ca.key 2048
#生成ca证书
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -subj "/C=CN/ST=bj/L=bj/O=ban/OU=ban/emailAddress=ban@163.com"
#生成服务端私钥
openssl genrsa -out server.key 2048
#创建san证书配置文件
cat>san.cfg<<EOF
[ req ]
default_bits = 2048
default_keyfile = server.key # name of the keyfile
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = bj
localityName = Locality Name (eg, city)
localityName_default = bj
organizationName = Organization Name (eg, company)
organizationName_default = ban
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = ban
commonName = Common Name (eg, YOUR name)
commonName_default = www.ban.com
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
emailAddress_default = ban@163.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = *.ban.com
IP.1 = 192.168.110.221
EOF
#生成请求(csr)文件,如果要购买权威机构证书的话,将csr文件提交给权威机构即可。
openssl req -new -key server.key -out server.csr -config san.cfg -sha256
#使用ca证书签名
openssl x509 -req -days 3650 -in server.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out server.crt -extfile san.cfg -extensions req_ext
#配置证书
将server.crt 和 server.key 配置到nginx配置文件中,并启动nginx
然后把根证书ca.crt 下载到window 直接双击安装,安装存储到“受信任的根证书颁发机构”
访问nginx代理页面即可。