自签证书生成脚本如下:
#/bin/bash
#生成3个证书(一个ca证书,两个服务器证书)
. /etc/init.d/functions CERT_INFO=([00]="/O=KeYun/CN=ca.magedu.com" [01]="cakey.pem" [02]="cacert.pem" [03]=2048 [04]=3650 [05]=0 [10]="/C=CN/ST=YunNan/L=Kuming/O=KeYun/CN=www.magedu.org" [11]="master.key" [12]="master.crt" [13]=2048 [14]=365 [15]=1 [16]="master.csr" [20]="/C=CN/ST=YunNan/L=Kuming/O=KeYun/CN=m.magedu.org" [21]="slave.key" [22]="slave.crt" [23]=2048 [24]=365 [25]=2 [26]="slave.csr" ) COLOR="echo -e \E[1;32m" END="\E[0m" DIR=/apps/nginx/certs/ cd $DIR for i in {0..2};do if [ $i -eq 0 ] ;then openssl req -x509 -newkey rsa:${CERT_INFO[${i}3]} -subj ${CERT_INFO[${i}0]} -set_serial ${CERT_INFO[${i}5]} -keyout ${CERT_INFO[${i}1]} -nodes -days ${CERT_INFO[${i}4]} -out ${CERT_INFO[${i}2]} &>/dev/null else openssl req -newkey rsa:${CERT_INFO[${i}3]} -nodes -subj ${CERT_INFO[${i}0]} -keyout ${CERT_INFO[${i}1]} -out ${CERT_INFO[${i}6]} &>/dev/null openssl x509 -req -in ${CERT_INFO[${i}6]} -CA ${CERT_INFO[02]} -CAkey ${CERT_INFO[01]} -set_serial ${CERT_INFO[${i}5]} -days ${CERT_INFO[${i}4]} -out ${CERT_INFO[${i}2]} &>/dev/null fi $COLOR"**************************************生成证书信息**************************************"$END openssl x509 -in ${CERT_INFO[${i}2]} -noout -subject -dates -serial echo done chmod 600 *.key action "证书生成完成"
nginx配置如下
server { listen 80; listen 443 ssl; ssl_certificate /apps/nginx/certs/magedu.org.crt; ssl_certificate_key /apps/nginx/certs/magedu.org.key; ssl_session_cache shared:sslcache:20m; ssl_session_timeout 10m; ... }
[root@centos8 certs]#bash /root/certificate.sh **************************************生成证书信息************************************** subject=O = KeYun, CN = ca.magedu.com notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 11 07:07:01 2030 GMT serial=00 **************************************生成证书信息************************************** subject=C = CN, ST = YunNan, L = Kuming, O = KeYun, CN = www.magedu.org notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 13 07:07:01 2021 GMT serial=01 **************************************生成证书信息************************************** subject=C = CN, ST = YunNan, L = Kuming, O = KeYun, CN = m.magedu.org notBefore=Oct 13 07:07:01 2020 GMT notAfter=Oct 13 07:07:01 2021 GMT serial=02 证书生成完成
[root@centos8 certs]#ll
total 32
-rw-r--r-- 1 root root 1143 Oct 13 15:07 cacert.pem
-rw------- 1 root root 1704 Oct 13 15:07 cakey.pem
-rw-r--r-- 1 root root 1086 Oct 13 15:07 master.crt
-rw-r--r-- 1 root root 985 Oct 13 15:07 master.csr
-rw------- 1 root root 1704 Oct 13 15:07 master.key
-rw-r--r-- 1 root root 1082 Oct 13 15:07 slave.crt
-rw-r--r-- 1 root root 980 Oct 13 15:07 slave.csr
-rw------- 1 root root 1704 Oct 13 15:07 slave.key
#把CA证书和服务器证书合并成一个证书文件
[root@centos8 certs]#cat cacert.pem master.crt > magedu.org.crt
[root@centos8 certs]#mv master.key magedu.org.key
执行报错如下:
后来发现是在证书合并的时候CA证书和服务器证书,顺序不一样导致
修正如下:
[root@centos8 certs]#cat master.crt cacert.pem > magedu.org.crt
[root@centos8 certs]#nginx -t
nginx: the configuration file /apps/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /apps/nginx/conf/nginx.conf test is successful
查看证书
