search

SSL 自签

hashtag
自签

  • 生成 CA 私钥

    openssl genrsa -out ca.key 2048

  • 生成 CA 证书

    openssl req -sha256 -new -x509 -days 7300 -key ca.key -out ca.crt \
    -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Zhxlp/OU=IT/CN=Zhxlp Root CA"

  • 查看 CA 证书信息

    openssl x509 -in ca.crt -text -noout

  • 生成 Server 私钥

    openssl genrsa -out server.key 2048

  • 生成 Server 证书签名请求(CSR)

    openssl req -new -sha256 -key server.key \
    -subj "/C=CN/ST=Guangdong/L=Shenzhen/O=Zhxlp/OU=IT/CN=www.zhxlp.com" \
    -reqexts SAN \
    -config <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:www.zhxlp.com,DNS:zhxlp.com,DNS:localhost,IP:127.0.0.1")) \
    -out server.csr

  • 查看 Server 证书签名请求(CSR)

    openssl req -in server.csr -noout -text

  • 生成 Server 证书

    openssl x509 -req -days 365 \
    -CAserial server.srl -CAcreateserial \
    -in server.csr -CA ca.crt -CAkey ca.key  \
    -extensions SAN \
    -extfile <(cat /etc/pki/tls/openssl.cnf \
        <(printf "[SAN]\nsubjectAltName=DNS:www.zhxlp.com,DNS:zhxlp.com,DNS:localhost,IP:127.0.0.1")) \
    -out server.crt

  • 查看 Server 证书信息

    openssl x509 -in server.crt -noout -text

  • 合并证书

    cat server.crt ca.crt > fullchain.crt

    hashtag
    安装

    hashtag
    Windows

    • 安装 CA

      certutil -addstore -f Root ca.crt

    • 查看 CA

      certutil -store  Root

    • 删除 CA

      certutil -delstore -f  Root 证书指纹
上一页证书扩展下一页免费 https 证书申请

最后更新于