生成 Chrome 可信任的自签名证书
生成的证书需要安装在本机信任机构列表中。
# 生成CA
# openssl rand -writerand ~/.rnd
openssl genrsa -out ca.key 4096
openssl req -new -x509 -days 365 -key ca.key -subj "/C=CN/ST=GD/L=GZ/O=Test/CN=root" -out ca.crt
# 生成CSR文件
openssl req -newkey rsa:4096 -nodes -keyout server.key -subj "/C=CN/ST=GD/L=GZ/O=Test/CN=*.example.com" -out server.csr
# 根据CA生成证书
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:*.example.com,IP:192.168.2.2,IP:192.168.3.3") -days 365 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt
# 不使用CA直接生成证书
openssl x509 -req -extfile <(printf "subjectAltName=DNS:example.com,DNS:*.example.com,IP:192.168.2.2,IP:192.168.3.3") -days 365 -in server.csr -signkey server.key -out server.crt
查看证书输出:openssl x509 -in server.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1c:0d:8c:14:17:50:6d:10:14:36:8f:8b:04:dc:1e:a7:be:93:c4:c2
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = CN, ST = GD, L = GZ, O = Test, CN = *.example.com
Validity
Not Before: Oct 19 11:55:52 2023 GMT
Not After : Oct 18 11:55:52 2024 GMT
Subject: C = CN, ST = GD, L = GZ, O = Test, CN = *.example.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
Modulus:
00:b9:4a:d3:7f:1f:71:bd:0d:fa:4f:8d:fb:91:34:
d9:28:1a:f2:11:ae:fd:3d:ca:35:97:f2:e2:d5:1d:
61:aa:db:8a:db:90:35:9b:81:61:1a:a1:58:8a:ea:
2c:64:ff:9f:98:9e:ec:40:93:14:b9:49:4f:df:54:
4c:21:74:0c:5c:70:e1:f5:a5:3e:a0:c0:8a:41:d8:
6a:13:bd:c0:e0:f3:81:82:ae:26:b1:41:64:dd:c3:
42:39:a0:4d:bf:ab:b1:90:0b:f3:bb:90:78:c0:90:
72:dd:02:b5:82:e7:87:f9:12:b7:5d:7d:bc:c1:ac:
71:e7:29:89:c2:66:b1:5c:79:c6:0b:67:07:28:e7:
34:82:bf:d1:60:34:f9:dd:82:5a:17:d1:61:3b:2c:
4e:1d:b5:d2:94:c6:65:ea:b6:86:2d:c2:60:66:e2:
05:3c:af:1d:12:34:fa:5e:8f:e1:32:b4:63:73:6a:
63:fb:95:53:0e:56:28:90:f0:6f:b1:3c:cb:6f:38:
a0:47:fd:f0:1e:d5:e7:9b:7d:70:86:44:ec:7e:9a:
5e:fc:92:45:74:ab:09:f0:c1:f6:77:45:f4:28:d2:
ca:3b:1b:49:61:b7:03:33:da:15:ce:82:92:ba:73:
bb:50:95:a4:3c:a3:de:a7:98:4a:b8:37:f5:c6:aa:
cf:f5:78:ce:92:5d:29:9c:4a:a9:45:59:27:1e:88:
0d:47:55:10:88:20:7f:27:a4:f2:ef:19:da:a5:d7:
46:70:ac:02:39:c3:27:0a:d9:8d:18:b5:47:2d:2f:
4a:7d:2f:73:c3:65:71:82:46:29:21:67:8c:ad:e4:
d6:1c:83:bd:b8:0e:39:fb:98:28:b9:99:73:43:53:
fe:e3:46:31:39:87:9f:0e:4c:2c:68:d1:22:c7:35:
75:05:26:f0:f1:de:6e:f7:13:5f:06:99:39:df:f4:
cf:a3:8e:65:f9:23:80:67:a5:9d:81:f6:a8:9e:09:
ec:61:3f:63:fe:dc:ae:a8:27:ac:4c:ab:70:ff:6a:
15:ac:64:a8:55:75:fd:c8:8d:da:db:73:a7:d4:dd:
f7:b7:d8:58:4c:15:d6:72:d0:3c:e0:7f:b0:66:fa:
b4:b8:30:0d:d5:71:fd:05:3c:69:56:43:d2:a3:87:
61:96:38:96:5b:af:dc:40:53:bd:89:d4:c3:94:23:
57:e1:76:e7:61:b4:0a:be:e5:fb:f3:7a:03:74:95:
ef:6b:df:95:ec:cf:b1:43:fe:2a:50:7c:58:5d:4f:
90:90:bf:3e:85:63:15:a3:2c:e4:7a:73:90:79:b9:
f3:db:5b:a2:b3:c2:dc:5d:88:71:29:6a:77:af:f5:
8a:a6:87
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:example.com, DNS:*.example.com, IP Address:192.168.2.2, IP Address:192.168.3.3
Signature Algorithm: sha256WithRSAEncryption
0d:91:60:b0:5c:83:1a:44:15:f0:85:eb:3f:c9:f0:73:30:8a:
f9:da:0b:4d:b8:f6:35:4a:04:e4:f4:70:e5:bd:08:2e:19:49:
76:39:25:43:8c:5f:8d:0d:df:2d:9c:27:be:a8:55:37:cf:8a:
cb:72:24:cc:29:5d:67:c8:be:f8:28:a3:8e:37:0b:0d:f1:ea:
e1:0c:96:37:47:39:a0:32:00:89:21:3c:19:10:ed:b6:a3:27:
d7:70:48:0b:41:6a:35:2d:18:96:46:50:41:a2:eb:3d:c6:dd:
57:a1:48:24:ee:91:87:35:2d:56:92:ff:60:69:0b:00:fd:59:
81:7f:fc:6f:4f:f1:0a:bc:2b:40:0b:8a:41:33:93:19:8e:d0:
99:ee:17:14:09:c6:79:70:ac:4d:00:83:bd:33:92:20:be:88:
1e:a9:5e:c7:e4:e5:5c:fd:fc:db:23:ec:f0:3b:d4:50:7b:2a:
6d:4a:52:e8:4b:89:ef:7b:02:f4:b8:ff:1f:66:36:cf:99:a6:
0e:96:9b:ea:15:a6:56:1a:f1:98:07:59:3c:54:07:52:e5:43:
ef:ea:52:7c:5b:d8:75:71:9b:f9:78:bc:8f:7f:40:ce:25:99:
6d:09:49:c9:c8:e0:e8:43:da:ae:51:ca:d6:4d:0f:c8:ad:10:
cd:3c:15:53:ef:14:32:55:90:ad:0a:8a:fb:c9:97:cf:1a:5a:
56:aa:9f:df:df:65:c3:9b:7b:45:b3:c7:d0:11:ea:0a:3a:8b:
a3:ec:c7:eb:eb:22:64:98:c8:4c:3b:5a:74:b6:f0:5b:21:9f:
48:a5:e7:63:11:30:c3:bc:cc:48:8e:71:c6:12:2a:0b:8a:03:
20:00:6c:ad:96:eb:56:5d:c6:5d:84:9a:79:6d:82:5e:d1:05:
fc:38:2c:cb:87:d7:1a:ff:15:42:f4:c8:93:d2:ba:9c:34:14:
24:60:2f:ee:23:44:18:96:8e:bb:8e:87:88:ad:5d:91:bb:ff:
74:e1:f3:cb:82:fc:f7:d2:e4:73:f0:59:c9:c4:01:25:fd:7a:
2c:ab:b1:51:44:77:27:0b:c1:0b:3e:eb:c0:bb:28:27:a5:f2:
ae:a6:01:63:78:18:96:6c:fb:17:a3:19:bc:8f:85:76:28:94:
29:84:2a:ba:ae:be:39:b8:1e:ba:ab:ff:a2:8e:f9:c1:aa:2f:
da:c0:1b:cd:5e:c3:b0:c2:15:0d:fb:a8:c4:bd:0b:e1:3c:50:
9c:ff:26:2e:68:97:77:55:19:39:79:e4:60:ad:15:6c:ea:e6:
ac:9d:6e:b5:f7:91:38:0c:2c:de:86:63:4d:54:3a:8a:82:0c:
24:82:c6:91:41:da:37:b7
HTTPS 双向认证
证书生成参照上面的过程(需要CA根证书),只是多了一个client.p12证书,用于浏览器认证,这个证书文件包含客户端的公钥和私钥。生成的证书安装在【个人】下即可。
openssl pkcs12 -export -clcerts -in client.crt -inkey client.key -out client.p12
Nginx 配置
server {
ssl_verify_client on;
ssl_client_certificate /path/to/ca.crt;
ssl_verify_depth 1; # 如果客户端证书不是由根证书直接颁发的,需要开启该配置
}
参考
Provide subjectAltName to openssl directly on the command line