局域网内搭建浏览器可信任的SSL证书
一、创建CA机构证书
1. 创建一个秘钥,这个便是CA证书的根本,之后所有的东西都来自这个秘钥
[root@localhost testCA]# openssl genrsa -out myCA.key 2048
Generating RSA private key, 2048 bit long modulus
..........................................+++
..............................................................+++
e is 65537 (0x10001)
2. 通过秘钥加密机构信息形成公钥
[root@localhost testCA]# openssl req -new -x509 -key myCA.key -out myCA.cer -days 36500
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:CN
State or Province Name (full name) []:GuangDong
Locality Name (eg, city) [Default City]:ShenZhen
Organization Name (eg, company) [Default Company Ltd]:leaderchain
Organizational Unit Name (eg, section) []:xraremeta
Common Name (eg, your name or your server's hostname) []:leaderchain.com
Email Address []:381151367@qq.com
二、创建服务器证书
1. 通过openssl工具创建服务器的秘钥
[root@localhost testCA]# openssl genrsa -out server.key 2048
2. 创建一个签名请求
https证书的公钥不同于自定义情况下的加密证书,这里需要按照浏览器标准进行配置,首先openssl默认的证书版本是V1,V1在支持https时部分浏览器依旧会认为不安全,所以需要使用V3版本;同时openssl即便是使用V3版本依旧没有附带V3的subjectAltName字段数据(这里是证书对应的IP地址或者域名,可以用通配符)。但是这些东西命令行没法指定所以需要配置文件openssl.cnf
[ req ]
distinguished_name = req_distinguished_name
req_extensions = v3_req
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = XX
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
#stateOrProvinceName_default = Default Province
localityName = Locality Name (eg, city)
localityName_default = Default City
0.organizationName = Organization Name (eg, company)
0.organizationName_default = Default Company Ltd
# we can do this but it is not needed normally :-)
#1.organizationName = Second Organization Name (eg, company)
#1.organizationName_default = World Wide Web Pty Ltd
organizationalUnitName = Organizational Unit Name (eg, section)
#organizationalUnitName_default =
commonName = Common Name (eg, your name or your server\'s hostname)
commonName_max = 64
emailAddress = Email Address
emailAddress_max = 64
# SET-ex3 = SET extension number 3
[ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = *.example.com
IP.1 = 192.168.215.21
IP.2 = 192.168.215.24
将上面的配置内容保存为openssl.cnf放到生成的服务器证书文件的目录下(注意:修改alt_names里面的域名或者IP为最终部署需要的地址,支持通配符),然后执行创建签名申请文件即可,执行运行:
[root@localhost testCA]# openssl req -config openssl.cnf -new -out server.req -key server.key
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [CN]:
State or Province Name (full name) [BeiJing]:
Locality Name (eg, city) []:
Organization Name (eg, company) [myca]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
3. 通过CA机构证书对服务器证书进行签名认证
[root@localhost testCA]# openssl x509 -req -extfile openssl.cnf -extensions v3_req -in server.req -out server.cer -CAkey myCA.key -CA myCA.cer -days 36500 -CAcreateserial -CAserial serial
Signature ok
subject=/C=XX/L=Default City/O=Default Company Ltd
Getting CA Private Key
4. 部署证书
Nginx部署:最终得到server.key就是秘钥,server.cer文件就是公钥,只需要配置给Nginx就行了(ssl_certificate、ssl_certificate_key)。
三、信任CA机构证书
将CA证书的公钥(myCA.cer文件)导入到系统信任的根证书颁发机构里面就行了。
win10操作系统导入步骤:
- 双击证书,点击“安装证书”
- 选择“本地计算机”,点击“下一步”,同意
- 选择“将所有的证书放入下列存储”,点击“浏览”
- 选择“受信任的根证书颁发机构”,点击"确定"
- 点击“下一页”
- 点击“完成”
- 重启浏览器,可以看到URL的红色叹号消失了
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
