生成根证书
生成key
openssl genrsa -out ca-key.pem 2048
生成csr
openssl req -new -key ca-key.pem -out ca-req.csr -subj "/C=CN/ST=JS/L=NJ/O=falcon/OU=falcon/CN=CA"
生成证书
openssl x509 -req -in ca-req.csr -out ca-cert.pem -signkey ca-key.pem -sha256 -days 3650
生成服务端(nginx用证书)
生成key
openssl genrsa -out server-key.pem 2048
生成csr
openssl req -new -out server-req.csr -key server-key.pem -subj "/C=CN/ST=JS/L=NJ/O=falcon/OU=app/CN=*.test.com,192.168.0.118,localhost"
生成证书
openssl x509 -req -in server-req.csr -out server-cert.pem -signkey server-key.pem -sha256 -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -days 3650
配置nginx
server {
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/server-cert.pem;
ssl_certificate_key /etc/nginx/ssl/server-key.pem;
server_name address;
access_log /var/log/nginx/host.access.log main;
error_log /var/log/nginx/error.log error;
location / {
root /usr/share/nginx/html;
index index.html index.htm;
}
...
}
访问
未导入ca时浏览器访问
新版本的chrome,在ca没有被信任前不允许再访问
浏览器导入证书(mac下操作,在钥匙串中追加证书)
- 选择【登录】,菜单项中点击【文件】->【导入项目】
- 直接导入的【ca】,这样,用这个ca签名的其他证书也会被浏览器信任
- 双击导入的【ca】,将信任修改成【始终信任】