OpenSSL 生成自定义证书

发表于 更新于

前言

本文用来记录通过OpenSSL生成自定义证书并在浏览器设置可信任

准备

  • Linux CentOS7 系统
  • nginx 1.12.2
  • Windows 10
  • IE 11
  • chrome 71

OpenSSL配置

在linux系统中修改OpenSSL配置是为了,让chrome浏览器对为网站可信任

  1. 拷贝OpenSSL配置文件准备修改

    1
    2
    # cd /etc/pki/tls/
    # cp openssl.cnf openssl_m.cnf

  2. 修改openssl_m.cnf文件

    1
    # vi /etc/pki/tls/openssl_m.cnf

    a. 找到[ req ] 段落,添加req_extentions = v3_req配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    ####################################################################
    [ req ]
    default_bits        = 2048
    default_md      = sha256
    default_keyfile     = privkey.pem
    distinguished_name  = req_distinguished_name
    attributes      = req_attributes
    x509_extensions = v3_ca # The extentions to add to the self signed cert
    #需要添加的配置
    req_extentions  = v3_req

    b. 添加v3_req配置信息

    1
    2
    3
    4
    5
    6
    7
    8
    [ v3_req ]

    # Extensions to add to a certificate request

    basicConstraints = CA:FALSE
    keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    #需要添加的配置
    subjectAltName = @alt_names

    c. 添加alt_names配置信息,可以添加多个

    1
    2
    [ alt_names ]
    DNS.1 = www.test.com

    注:这里填入的即为Subject Alternative Names的域名名称

生成证书

直接用脚本生成

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/bin/sh

# create self-signed server certificate:

read -p "Enter your domain [www.example.com]: " DOMAIN

echo "Create server key..."

openssl genrsa -des3 -out $DOMAIN.key 2048

echo "Create server certificate signing request..."

SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN"

#openssl req -new  -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr -extensions v3_req
openssl req -new -subj $SUBJECT  -key $DOMAIN.key -out $DOMAIN.csr


echo "Remove password..."

mv $DOMAIN.key $DOMAIN.origin.key
openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key

echo "Sign SSL certificate..."

openssl x509 -req -days 3650 -extfile /etc/pki/tls/openssl_m.cnf  -extensions v3_req   -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt

echo "TODO:"
echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt"
echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key"
echo "Add configuration in nginx:"
echo "server {"
echo "    ..."
echo "    listen 443 ssl;"
echo "    ssl_certificate     /etc/nginx/ssl/$DOMAIN.crt;"
echo "    ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;"
echo "}"

关键点就是:-extfile /etc/pki/tls/openssl_m.cnf -extensions v3_req给证书添加上扩展属性

配置nginx

  1. 把生成的xxx.crt 和xxx.key 拷贝到/etc/nginx/ssl/
  2. 修改nginx.conf
    1
    2
    3
    4
    5
    6
    7
    server {
        ssl on;
        ssl_certificate     /etc/nginx/ssl/www.test.com.crt;
        ssl_certificate_key /etc/nginx/ssl/www.test.com.key;
        listen       443 default_server;
        listen       [::]:443 default_server;
    }
  3. 重启nginx服务

导入证书

  1. www.test.com.crt拷贝到windows系统中
  2. 双击www.test.com.crt文件打开
  3. 点击“Install Certificate”
  4. 选择“Local Machine” 点击“Next”
  5. 选择“Place all certificates in the following store” 点击“Browser”
  6. 选择“Trusted Root Certification Authorities” 点击“OK”
  7. 点击“Next” 点击“Finish”

再次访问网站

参考资料

  1. OpenSSL创建的自签名证书在chrome端无法信任
  2. OpenSSL生成v3证书方法及配置文件
  3. 给Nginx配置一个自签名的SSL证书
  4. 脚本