1.首先生成根证书和私钥,我全部保存在D:\
openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -subj "/C=CN/ST=JiangSu/L=SuZhou/O=LinkAsia" -keyout D:/CA-private.key -out D:/CA-certificate.crt -reqexts v3_req -extensions v3_ca
2.生成自签名证书私钥 private.key
openssl genrsa -out D:/private.key 2048
3.根据自签名证书私钥生成自签名证书申请文件 private.csr
openssl req -new -key D:/private.key -subj "/C=CN/ST=JiangSu/L=SuZhou/O=LinkAsia/CN=127.0.0.1" -sha256 -out D:/private.csr
4.在D:/手动创建一个private.ext文件
内容如下
[ req ]
default_bits = 1024
distinguished_name = req_distinguished_name
req_extensions = san
extensions = san
[ req_distinguished_name ]
countryName = CN
stateOrProvinceName = Definesys
localityName = Definesys
organizationName = Definesys
[SAN]
authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = IP:127.0.0.1
5.根据根证书私钥及根证书-CA CA-certificate.crt -CAkey CA-private.key、自签名证书申请文件 -in private.csr、自签名证书扩展文件 -extfile private.ext,生成自签名证书 -out private.crt
openssl x509 -req -days 36500 -in D:/private.csr -CA D:/CA-certificate.crt -CAkey D:/CA-private.key -CAcreateserial -sha256 -out D:/private.crt -extfile D:/private.ext -extensions SAN
6.在nginx中配置
7.安装 CA-certificate.crt到受信任的根证书颁发机构下
8.安装好的证书信息
9.最终访问效果
