生成CA 根证书
** 准备配置文件**
vi ca.conf
内容:
[ req ]
default_bits = 4096
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName = Locality Name (eg, city)
localityName_default = NanJing
organizationName = Organization Name (eg, company)
organizationName_default = Sheld
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = Ted CA Test
生成ca秘钥,得到ca.key
openssl genrsa -out ca.key 4096
生成证书签发请求,得到ca.csr
openssl req \
-new \
-sha256 \
-out ca.csr \
-key ca.key \
-config ca.conf
配置文件已经有默认了,直接回车即可
生成根证书 ca.crt
openssl x509 \
-req \
-days 3650 \
-in ca.csr \
-signkey ca.key \
-out ca.crt
生成服务器证书
准备配置文件
vim server.conf
文件内容:
[ req ]
default_bits = 2048
distinguished_name = req_distinguished_name
req_extensions = req_ext
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = JiangSu
localityName = Locality Name (eg, city)
localityName_default = NanJing
organizationName = Organization Name (eg, company)
organizationName_default = Sheld
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = www.abc.com
[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1 = www.abc.com
DNS.2 = www2.abc.com
这里的commonName 要填写你要放置站点的域名。
生成秘钥server.key
openssl genrsa -out server.key 2048
生证书签发请求:
openssl req \
-new \
-sha256 \
-out server.csr \
-key server.key \
-config server.conf
配置文件已经有了,直接回车,使用默认值即可。
生成服务器证书:
openssl x509 \
-req \
-days 3650 \
-CA ca.crt \
-CAkey ca.key \
-CAcreateserial \
-in server.csr \
-out server.crt \
-extensions req_ext \
-extfile server.conf
应用于nginx
创建nginx 配置文件:
mkdir -p nginx
leon@leon:~/work/CA$ cat nginx/ssl.conf
server {
listen 443 ssl;
server_name www.abc.com;
root /usr/share/nginx/html;
ssl_certificate /etc/certs/server.crt;
ssl_certificate_key /etc/certs/server.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers HIGH:!aNULL:!MD5;
ssl_prefer_server_ciphers on;
location / {
index index.html index.htm;
}
}
把生成好的证书放置到certs文件夹
mkdir certs
cp ca.crt server.crt server.key certs/
运行nginx 镜像。
docker run -d -p 80:80 -p 443:443 -v /home/leon/work/CA/certs:/etc/certs -v /home/leon/work/CA/nginx/ssl.conf:/etc/nginx/conf.d/ssl.conf nginx
证书导入firefox:
火狐浏览器–选项–隐私与安全–证书–查看证书–证书颁发机构–导入
把CA根证书ca.crt导入进来,选中该证书,编辑信任,勾选“此证书可以标识网站”
浏览器打开:
https://www.abc.com
可以修改Hosts到本机。
可以看到证书安全连接了。