Hugh's Blog

生成 Chrome 可信任的自签名证书

 

生成的证书需要安装在本机信任机构列表中。

# 生成CA
# openssl rand -writerand ~/.rnd
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=GZ/O=Test/CN=root" -out ca.crt

# 生成CSR文件
openssl req -newkey rsa:4096 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=GZ/O=Test/CN=*.example.com" -out server.csr

# 根据CA生成证书
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:*.example.com,IP:192.168.2.2,IP:192.168.3.3") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt

# 不使用CA直接生成证书
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:*.example.com,IP:192.168.2.2,IP:192.168.3.3") -days 365 -in server.csr -signkey server.key -out server.crt

查看证书输出:openssl x509 -in server.crt -text -noout

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            1c:0d:8c:14:17:50:6d:10:14:36:8f:8b:04:dc:1e:a7:be:93:c4:c2
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CN, ST = GD, L = GZ, O = Test, CN = *.example.com
        Validity
            Not Before: Oct 19 11:55:52 2023 GMT
            Not After : Oct 18 11:55:52 2024 GMT
        Subject: C = CN, ST = GD, L = GZ, O = Test, CN = *.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:b9:4a:d3:7f:1f:71:bd:0d:fa:4f:8d:fb:91:34:
                    d9:28:1a:f2:11:ae:fd:3d:ca:35:97:f2:e2:d5:1d:
                    61:aa:db:8a:db:90:35:9b:81:61:1a:a1:58:8a:ea:
                    2c:64:ff:9f:98:9e:ec:40:93:14:b9:49:4f:df:54:
                    4c:21:74:0c:5c:70:e1:f5:a5:3e:a0:c0:8a:41:d8:
                    6a:13:bd:c0:e0:f3:81:82:ae:26:b1:41:64:dd:c3:
                    42:39:a0:4d:bf:ab:b1:90:0b:f3:bb:90:78:c0:90:
                    72:dd:02:b5:82:e7:87:f9:12:b7:5d:7d:bc:c1:ac:
                    71:e7:29:89:c2:66:b1:5c:79:c6:0b:67:07:28:e7:
                    34:82:bf:d1:60:34:f9:dd:82:5a:17:d1:61:3b:2c:
                    4e:1d:b5:d2:94:c6:65:ea:b6:86:2d:c2:60:66:e2:
                    05:3c:af:1d:12:34:fa:5e:8f:e1:32:b4:63:73:6a:
                    63:fb:95:53:0e:56:28:90:f0:6f:b1:3c:cb:6f:38:
                    a0:47:fd:f0:1e:d5:e7:9b:7d:70:86:44:ec:7e:9a:
                    5e:fc:92:45:74:ab:09:f0:c1:f6:77:45:f4:28:d2:
                    ca:3b:1b:49:61:b7:03:33:da:15:ce:82:92:ba:73:
                    bb:50:95:a4:3c:a3:de:a7:98:4a:b8:37:f5:c6:aa:
                    cf:f5:78:ce:92:5d:29:9c:4a:a9:45:59:27:1e:88:
                    0d:47:55:10:88:20:7f:27:a4:f2:ef:19:da:a5:d7:
                    46:70:ac:02:39:c3:27:0a:d9:8d:18:b5:47:2d:2f:
                    4a:7d:2f:73:c3:65:71:82:46:29:21:67:8c:ad:e4:
                    d6:1c:83:bd:b8:0e:39:fb:98:28:b9:99:73:43:53:
                    fe:e3:46:31:39:87:9f:0e:4c:2c:68:d1:22:c7:35:
                    75:05:26:f0:f1:de:6e:f7:13:5f:06:99:39:df:f4:
                    cf:a3:8e:65:f9:23:80:67:a5:9d:81:f6:a8:9e:09:
                    ec:61:3f:63:fe:dc:ae:a8:27:ac:4c:ab:70:ff:6a:
                    15:ac:64:a8:55:75:fd:c8:8d:da:db:73:a7:d4:dd:
                    f7:b7:d8:58:4c:15:d6:72:d0:3c:e0:7f:b0:66:fa:
                    b4:b8:30:0d:d5:71:fd:05:3c:69:56:43:d2:a3:87:
                    61:96:38:96:5b:af:dc:40:53:bd:89:d4:c3:94:23:
                    57:e1:76:e7:61:b4:0a:be:e5:fb:f3:7a:03:74:95:
                    ef:6b:df:95:ec:cf:b1:43:fe:2a:50:7c:58:5d:4f:
                    90:90:bf:3e:85:63:15:a3:2c:e4:7a:73:90:79:b9:
                    f3:db:5b:a2:b3:c2:dc:5d:88:71:29:6a:77:af:f5:
                    8a:a6:87
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name: 
                DNS:example.com, DNS:*.example.com, IP Address:192.168.2.2, IP Address:192.168.3.3
    Signature Algorithm: sha256WithRSAEncryption
         0d:91:60:b0:5c:83:1a:44:15:f0:85:eb:3f:c9:f0:73:30:8a:
         f9:da:0b:4d:b8:f6:35:4a:04:e4:f4:70:e5:bd:08:2e:19:49:
         76:39:25:43:8c:5f:8d:0d:df:2d:9c:27:be:a8:55:37:cf:8a:
         cb:72:24:cc:29:5d:67:c8:be:f8:28:a3:8e:37:0b:0d:f1:ea:
         e1:0c:96:37:47:39:a0:32:00:89:21:3c:19:10:ed:b6:a3:27:
         d7:70:48:0b:41:6a:35:2d:18:96:46:50:41:a2:eb:3d:c6:dd:
         57:a1:48:24:ee:91:87:35:2d:56:92:ff:60:69:0b:00:fd:59:
         81:7f:fc:6f:4f:f1:0a:bc:2b:40:0b:8a:41:33:93:19:8e:d0:
         99:ee:17:14:09:c6:79:70:ac:4d:00:83:bd:33:92:20:be:88:
         1e:a9:5e:c7:e4:e5:5c:fd:fc:db:23:ec:f0:3b:d4:50:7b:2a:
         6d:4a:52:e8:4b:89:ef:7b:02:f4:b8:ff:1f:66:36:cf:99:a6:
         0e:96:9b:ea:15:a6:56:1a:f1:98:07:59:3c:54:07:52:e5:43:
         ef:ea:52:7c:5b:d8:75:71:9b:f9:78:bc:8f:7f:40:ce:25:99:
         6d:09:49:c9:c8:e0:e8:43:da:ae:51:ca:d6:4d:0f:c8:ad:10:
         cd:3c:15:53:ef:14:32:55:90:ad:0a:8a:fb:c9:97:cf:1a:5a:
         56:aa:9f:df:df:65:c3:9b:7b:45:b3:c7:d0:11:ea:0a:3a:8b:
         a3:ec:c7:eb:eb:22:64:98:c8:4c:3b:5a:74:b6:f0:5b:21:9f:
         48:a5:e7:63:11:30:c3:bc:cc:48:8e:71:c6:12:2a:0b:8a:03:
         20:00:6c:ad:96:eb:56:5d:c6:5d:84:9a:79:6d:82:5e:d1:05:
         fc:38:2c:cb:87:d7:1a:ff:15:42:f4:c8:93:d2:ba:9c:34:14:
         24:60:2f:ee:23:44:18:96:8e:bb:8e:87:88:ad:5d:91:bb:ff:
         74:e1:f3:cb:82:fc:f7:d2:e4:73:f0:59:c9:c4:01:25:fd:7a:
         2c:ab:b1:51:44:77:27:0b:c1:0b:3e:eb:c0:bb:28:27:a5:f2:
         ae:a6:01:63:78:18:96:6c:fb:17:a3:19:bc:8f:85:76:28:94:
         29:84:2a:ba:ae:be:39:b8:1e:ba:ab:ff:a2:8e:f9:c1:aa:2f:
         da:c0:1b:cd:5e:c3:b0:c2:15:0d:fb:a8:c4:bd:0b:e1:3c:50:
         9c:ff:26:2e:68:97:77:55:19:39:79:e4:60:ad:15:6c:ea:e6:
         ac:9d:6e:b5:f7:91:38:0c:2c:de:86:63:4d:54:3a:8a:82:0c:
         24:82:c6:91:41:da:37:b7

HTTPS 双向认证

证书生成参照上面的过程(需要CA根证书),只是多了一个client.p12证书,用于浏览器认证,这个证书文件包含客户端的公钥和私钥。生成的证书安装在【个人】下即可。

openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12

Nginx 配置

server {
    ssl_verify_client on;
    ssl_client_certificate /path/to/ca.crt;
    ssl_verify_depth 1; # 如果客户端证书不是由根证书直接颁发的,需要开启该配置
}

参考

Provide subjectAltName to openssl directly on the command line