即刻关注,获取更多
1.ngnix配置(片段)
listen 443 ssl;
server_name localhost;
charset utf-8;
access_log /var/log/nginx/443.access.log main;
error_log /var/log/nginx/443.error.log;
ssl_certificate /etc/nginx/ssl/domain.crt;
ssl_certificate_key /etc/nginx/ssl/server.key;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
2.生成证书(单个域名)
######单个证书 是OK的
openssl genrsa -des3 -out domain.key 1024
openssl req -new -key domain.key -out domain.csr
openssl rsa -in domain.key -out server.key
openssl x509 -req -days 3650 -in domain.csr -signkey server.key -out domain.crt
curl --insecure https://127.0.0.1
wget --no-check-certificate https://get.jenkins.io/plugins/trilead-api/1.0.13/trilead-api.hpi
3.生成多个证书,测试不通过(待后续研究)
#####多个证书 测试无效
https://www.cnblogs.com/kreo/p/13203973.html
https://www.cnblogs.com/yueli/p/7478779.html
https://www.cnblogs.com/kreo/p/13203973.html
https://blog.51cto.com/colinzhouyj/1566438
https://blog.51cto.com/colinzhouyj/1564916
[root@os197 cert]# mkdir -p CA/{certs,crl,newcerts,private}
[root@os197 cert]# touch CA/index.txt
[root@os197 cert]# echo 00 > CA/serial
cp /etc/pki/tls/openssl.cnf ./
#这3个是取消注释并修改
copy_extensions = copy
req_extensions = v3_req
subjectAltName = @alt_names
#新增alt_names节点并配置需要的域名和IP
[ alt_names ]
DNS.1 = *.home.com
DNS.2 = updates.jenkins.io
DNS.3 = get.jenkins.io
DNS.4 = *.jenkins.io
IP.1 = 127.0.0.1
IP.2 = 186.137.128.197
#生成CA key文件
openssl genrsa -out ca.key 2048
#使用配置文件生成自签名CA证书
openssl req -x509 -new -nodes -key ca.key -sha256 -days 3650 \
-subj "/C=CN/ST=GD/L=GZ/O=BBC/OU=COMPANY/CN=*.jenkins.io" \
-config ./openssl.cnf -extensions v3_req \
-out ca.pem
#使用这个命令可以查看生成的CA证书是否支持多域名
openssl x509 -text -in ca.pem -noout
#生成Server端 Key文件
openssl genrsa -out server.key 2048
#生成签名请求
openssl req -new -key ./server.key \
-subj "/C=CN/ST=GD/L=GZ/O=BBC/OU=COMPANY/CN=*.jenkins.io" \
-config ./openssl.cnf -extensions v3_req \
-out server.csr
#使用CA证书签名Server端证书
openssl x509 -req -in ./server.csr -CA ca.pem -CAkey ca.key -CAcreateserial \
-extfile ./openssl.cnf -extensions v3_req \
-days 3650 -sha256 -out server.pem
#使用这个命令可以查看生成的Server端证书是否支持多域名
openssl x509 -text -in server.pem -noout
4.证书导入Jre
keytool -import -noprompt -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/security/cacerts -storepass changeit -alias home -file "/data/temp/home.cer"
keytool -list -keystore /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.131-11.b12.el7.x86_64/jre/lib/security/cacerts -storepass changeit