根证书
# 生成根证书私钥
openssl genrsa -out ca.key 4096
# 签发根证书,有效期100年
openssl req -new -x509 -key ca.key -out ca.crt -days 36500配置文件
新建ssl.conf 文件
[req]
default_bits = 4096
distinguished_name = req_distinguished_name
req_extensions = req_ext
[req_distinguished_name]
countryName = Country Name (2 letter code)
countryName_default = CN
stateOrProvinceName = State or Province Name (full name)
stateOrProvinceName_default = ShangHai
localityName = Locality Name (eg, city)
localityName_default = ShangHai
organizationName = Organization Name (eg, company)
organizationName_default = ayw.ink
commonName = Common Name (e.g. server FQDN or YOUR name)
commonName_max = 64
commonName_default = ayw.ink
[req_ext]
subjectAltName = @alt_names
[alt_names]
IP.1 = 1.1.1.1
DNS.1 = ayw.ink
DNS.2 = *.ayw.ink网站证书
# 生成网站私钥
openssl genrsa -out private.key 4096
# 使用网站私钥生成证书请求文件
openssl req -new -out private.csr -key private.key -config ssl.conf
# 签发证书,有效期100年
openssl x509 -req -days 36500 -in private.csr -out private.crt -CA ca.crt -CAkey ca.key -extfile ssl.conf -extensions req_ext -CAcreateserial配置https双向认证时其中CA.cer是用来安装在浏览器、安卓和苹果设备上的根CA信任证书,server.cer和server.key以及CA.cer是放在服务端的证书和key文件以及CA证书,在Nginx中配置即可。
