OpenSSL 生成自定义证书

前言

本文用来记录通过OpenSSL生成自定义证书并在浏览器设置可信任

准备

• Linux CentOS7 系统
• nginx 1.12.2
• Windows 10
• IE 11
• chrome 71

OpenSSL配置

在linux系统中修改OpenSSL配置是为了,让chrome浏览器对为网站可信任

1. 拷贝OpenSSL配置文件准备修改

   1 2	# cd /etc/pki/tls/ # cp openssl.cnf openssl_m.cnf

2. 修改openssl_m.cnf文件

   1	# vi /etc/pki/tls/openssl_m.cnf

   a. 找到[ req ] 段落，添加req_extentions = v3_req配置：

   1 2 3 4 5 6 7 8 9 10

   #################################################################### [ req ] default_bits = 2048 default_md = sha256 default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes x509_extensions = v3_ca # The extentions to add to the self signed cert #需要添加的配置 req_extentions = v3_req

   b. 添加v3_req配置信息

   1 2 3 4 5 6 7 8

   [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment #需要添加的配置 subjectAltName = @alt_names

   c. 添加alt_names配置信息,可以添加多个

   1 2	[ alt_names ] DNS.1 = www.test.com

   注：这里填入的即为Subject Alternative Names的域名名称

生成证书

直接用脚本生成

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37

#!/bin/sh # create self-signed server certificate: 大专栏  OpenSSL 生成自定义证书s="line">read -p "Enter your domain [www.example.com]: " DOMAIN echo "Create server key..." openssl genrsa -des3 -out $DOMAIN.key 2048 echo "Create server certificate signing request..." SUBJECT="/C=US/ST=Mars/L=iTranswarp/O=iTranswarp/OU=iTranswarp/CN=$DOMAIN" #openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr -extensions v3_req openssl req -new -subj $SUBJECT -key $DOMAIN.key -out $DOMAIN.csr echo "Remove password..." mv $DOMAIN.key $DOMAIN.origin.key openssl rsa -in $DOMAIN.origin.key -out $DOMAIN.key echo "Sign SSL certificate..." openssl x509 -req -days 3650 -extfile /etc/pki/tls/openssl_m.cnf -extensions v3_req -in $DOMAIN.csr -signkey $DOMAIN.key -out $DOMAIN.crt echo "TODO:" echo "Copy $DOMAIN.crt to /etc/nginx/ssl/$DOMAIN.crt" echo "Copy $DOMAIN.key to /etc/nginx/ssl/$DOMAIN.key" echo "Add configuration in nginx:" echo "server {" echo " ..." echo " listen 443 ssl;" echo " ssl_certificate /etc/nginx/ssl/$DOMAIN.crt;" echo " ssl_certificate_key /etc/nginx/ssl/$DOMAIN.key;" echo "}"

关键点就是：-extfile /etc/pki/tls/openssl_m.cnf -extensions v3_req给证书添加上扩展属性

配置nginx

1. 把生成的xxx.crt 和xxx.key 拷贝到/etc/nginx/ssl/

2. 修改nginx.conf

   1 2 3 4 5 6 7

   server { ssl on; ssl_certificate /etc/nginx/ssl/www.test.com.crt; ssl_certificate_key /etc/nginx/ssl/www.test.com.key; listen 443 default_server; listen [::]:443 default_server; }

3. 重启nginx服务

导入证书

1. 把www.test.com.crt拷贝到windows系统中
2. 双击www.test.com.crt文件打开
3. 点击“Install Certificate”
   
4. 选择“Local Machine” 点击“Next”
   
5. 选择“Place all certificates in the following store” 点击“Browser”
6. 选择“Trusted Root Certification Authorities” 点击“OK”
   
7. 点击“Next” 点击“Finish”

再次访问网站

参考资料

1. OpenSSL创建的自签名证书在chrome端无法信任
2. OpenSSL生成v3证书方法及配置文件
3. 给Nginx配置一个自签名的SSL证书
4. 脚本