侧边栏壁纸
博主头像
平凡的运维之路博主等级

行动起来,活在当下

  • 累计撰写 69 篇文章
  • 累计创建 37 个标签
  • 累计收到 3 条评论

目 录CONTENT

文章目录
Linux

Nginx自签可授信证书

平凡的运维之路
平凡的运维之路
2025-07-09 / 0 评论 / 0 点赞 / 5 阅读 / 5767 字
  • 自签可授证书第一版
openssl req -x509 \
        -newkey \
        rsa:4096 \
        -nodes \
        -keyout server.key \
        -out server.crt \
        -sha256 \
        -days 36500 \
        -subj "/C=CN/ST=Beijing/L=Beijing/O=PSBC/OU=CCCS/CN=CCCS CA" \
        -extensions san \
        -config <(echo '[req]'; echo 'distinguished_name=req';
        echo '[san]'; echo 'subjectAltName=DNS:test.com,DNS:devops.test.com,DNS:*.test.com')
  • 生成两个证书文件,然后引入nginx加载
-rw-rw-r-- 1 devops devops 2.0K Jul  9 11:14 server.crt
-rw-rw-r-- 1 devops devops 3.2K Jul  9 11:15 server.key

自签ip地址可授证书第二版

  • 创建CA证书配置 CA.cnf 文件
[ req ]
distinguished_name = req_distinguished_name
x509_extensions = root_ca
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
 
[ root_ca ]
basicConstraints = critical, CA:true
  • 创建ssl证书 server.cnf 文件
distinguished_name = req_distinguished_name
 
[ req_distinguished_name ]
countryName = Country Name (2 letter code)
countryName_default = CN
countryName_min = 2
countryName_max = 2
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = Beijing
localityName = Locality Name (eg, city)
localityName_default = Beijing
0.organizationName = Organization Name (eg, company)
0.organizationName_default = zhao138969
organizationalUnitName = Organizational Unit Name (eg, section)
organizationalUnitName_default = QCTEAM Server
commonName = Common Name (eg, fully qualified host name)
commonName_default = *.zhao138969.com
commonName_max = 64
emailAddress = Email Address
emailAddress_default = test@zhao138969.com
emailAddress_max = 64
  • 创建ssl证书subjectAltName描述文件 SAN.ext
    • 哪些ip需要使用https访问,就需要添加对应ip地址
ubjectAltName = @alt_names
extendedKeyUsage = serverAuth
 
[alt_names]
DNS.1 = *.zhao138969.com
IP.1 = 10.130.47.202
IP.2 = 192.168.200.18
  • 创建CA+SSL证书
    • 上面配置文件已经填写相关信息,执行下面命令直接回车确认即可
# 生成CA证书
openssl req -x509 -newkey rsa:4096 -out CA.cer -outform PEM -keyout CA.pvk -days 3650 -verbose -config CA.cnf -nodes -sha256
 
#生成证书请求文件
openssl req -newkey rsa:4096 -keyout server.pvk -out server.req -config server.cnf -sha256 -nodes
 
#生成证书
openssl x509 -req -CA CA.cer -CAkey CA.pvk -in server.req -out server.cer -days 3650 -extfile SAN.ext -sha256 -set_serial 0x1212
  • 最终生成文件如下所示
[devops@db1 ssl_new]$ ls
CA.cer  CA.cnf  CA.pvk  SAN.ext  server.cer  server.cnf  server.pvk  server.req
  • 在nginx配置文件配置上证书文件路径
    ssl_certificate /home/nginx/conf/crt/server.cer;
    ssl_certificate_key /home/nginx/conf/crt/server.pvk;
  • 在到需要访问的pc机器上面导入CA.cer CA证书,需要导入受信任的根证书颁发机构
    ssl证书.png
  • 然后使用https ip的方式进行访问,访问前最好清理下浏览器缓存。
0
nginx
版权归属: 平凡的运维之路
本文链接: http://localhost:8090/archives/nginxzi-qian-ke-shou-xin-zheng-shu
许可协议: 本文使用《署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》协议授权

评论区